The SolarWinds Hack

By Hubert Yoshida posted 03-05-2021 18:34

    
 

2   Li ke

In January, the United States went through a tremendous time of upheaval, with the soaring number
of deaths from the pandemic, political unrest, and racial discord. While all this was happening, we
now learn that the United Stated suffered the greatest cyberattack in history which had been
happening for nearly a year, and whose full effects are not yet understood.  

A group of hackers, likely from a foreign government, had gotten into a network management
company called SolarWinds and infiltrated its customers’ networks. This access was then used to
breach everything from Microsoft to US government agencies, including the US Treasury and
departments of Homeland Security, State, Defense, and Commerce. SolarWinds is a network
management software product that sits on your network, and it lets you know how things are
working and helps the network run smoothly. It is used by a large percentage of the biggest
companies in the United States and the biggest government agencies in the United States.

Somehow the attackers got into the code-building environment of SolarWinds, where they were
able to insert a backdoor into SolarWinds’ Orion network management software code through a
maintenance update. They did it in such a way that it only happens when the code is being compiled
at the last minute. So, it was almost impossible to find, but once they were in there, anybody who
downloaded at least two recent updates of the Orion software downloaded this backdoor. Once
inside the attackers could connect with the code and deploy additional code for further exploitation.
The hacked code was downloaded by 18,000 users and at least 50 important customers, including
the U.S. State Department, Homeland Security, Treasury and other major parts of the Government
were exposed.

This is known as a supply chain attack where someone infiltrates your system through an outside
provider who has access to your system and or data. In this case the outside provider was
SolarWinds. SolarWinds, itself, may have been infiltrated by an outside provider. Today, with Dev
Ops and Open source, the opportunity for supply chain attacks has increased. Providers of outside
code are now having to provide digital certificates to authenticate their code.

Although the government and cyber sophisticated companies like Microsoft and Cisco had extensive
cyber detection tools, the SolarWinds hack went undetected for more than a year. (It didn’t help
that the U.S. Cyber Security Chief, Christopher Krebs was fired during the U.S. elections in
November.) FireEye, a cyber security company, was the first to detect the hack when it noticed that
one of its employees had two phone numbers for its two factor authentications where an employee
is called back on his cell phone to authenticate his access. When the employee responded that he
only registered one phone number, FireEye was alerted. They could have passed this off as a false
positive, but to their credit they took this as a serious breach and dug into the code, tearing it apart,
until it found the hacked code in SolarWinds’ Orion network software.

How was SolarWinds, a security company, hacked in the first place? There are some reports that it
was due to a weak password that was used by a SolarWinds intern and posted on his GitHub. This
password was identified as “solarwinds123”. I find this hard to believe since this violates all the basic
rules for passwords and should have been rejected by the system. Also, most systems today use two
factor authentication which was how this was detected by FireEye.

SolarWinds has responded with a Security Advisory, listing what modules are affected and what
action should be taken.  However, this is like closing the barn door after the horses are gone. We
don’t know what secondary code was injected without tearing the whole network apart and starting
from scratch.

So far, the effects have been about espionage, the loss of secrets, and knowledge of source code
that could be exploited in the future. No one has died and no infrastructure has been destroyed –
yet. Although that can easily be done with the addition of a few lines of code.  The NotPetya
cyberattacks on the Ukraine in 2017 are a good example of how physically destructive these types of
attack can be, where power is shut off, and banking systems do not work.

Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, has taken
the lead on this investigation and said the US intelligence community is still looking at who is
responsible. President Joe Biden's administration is expected to respond in the coming weeks.
assessing what was hacked will take months and may never to fully determined.
There are several things we need to consider based on what we know so far:

 Two factor authentication should be implemented along with passwords and the use of
strong passwords should be enforced.           
 Supply Chain hacks are increasing and measures must be taken to authenticate third party
code. CSO Online published a blog on some ways to guard against Supply Chain attacks.
 Supply Chain Attacks are likely to occur in widely used software since it can affect more
users.
 Avoid Automating updates to sensitive code. A patch management system should require
third-party risk testing or have some standards that vendors need to comply with.
 CSO Online also suggests that this is the time to double down on “Least Privilege”.
The principle of least privilege is the idea that any user, program, or process should have
only the bare minimum privileges necessary to perform its function. For example, a user
 account created for pulling records from a database doesn’t need admin rights. Edward
Snowden was able to leak millions of NSA files because he had admin privileges, though his
highest-level task was creating database backups.
 For a quick over view of supply chain attacks see Supply Chain Attack on Wikipedia.