Cyber Attack initiated through a third (3rd) party supplier

Catalog
Solar Winds Cyber Attack .........................................................................................................................2
(1) Introduction. .................................................................................................................................2
(2) Details of the incident. ................................................................................................................. 4
A) Chronological overview of the cybersecurity breach. ..........................................................4
B) Explain what occurred. ......................................................................................................... 5
C) Type of cybersecurity incident. ............................................................................................ 7
D) What data was stolen. ...........................................................................................................7
E) Organization’s response. .......................................................................................................8
(3) Impact(s) on the organization (~500 words) ..............................................................................10
a) Provide details of how the responsibilities were divided, concerning supply chain
management in the incident. ....................................................................................................10
b) Provide a summary of how the cybersecurity breach affected the organization (e.g.,
financial ................................................................................................................................... 12
(4) Conclusion. ................................................................................................................................ 13
(5) References ..................................................................................................................................16

1
Cyber Attack initiated through a third (3rd) party supplier

Solar Winds Cyber Attack

(1) Introduction.
Solar winds is an American based IT company providing software
for the businesses. These softwares are used to automate the
networks processes and help them to managed their networks and
information infrastructure. Solar winds is headquartered in Austin,
state of Texas, America. Solar winds is a multi national company
with branches spread in many cities in America as well as other
countries around the world. Solar winds was established in 1999 in
the Tulsa city, state of Oklahoma.
Solar winds is third party supplier to major multi national IT
organizations such as Microsoft, Amazon, Oracle, IBM etc.
Solar winds is also one of the most well known IT companies around
the globe due to its network automation services. According to a
report of 2020, Solar winds has more than 300,000 costumers around
the globe.Among its clients there are about 1000 large organizations
and government agencies.
Solar Winds was attacked in December 2019 by Russian hackers.
After one year of the attack in December 2020 this attack was first
reported to the public. This is one of the most fatal attack in the USA
history. The costumers of Solar Winds are not only the public sector
but also the government agencies, sensitive military sector is also
included in its clients. This cyber incident was initiated by a third
party or supply chain, that's why its also called a value-chain or
third-party attack, supply chain attack occurs when some adversary

2
Cyber Attack initiated through a third (3rd) party supplier

infiltrates your system, network and IT infrastructure through an

outside partner or supply provider with access to your systems, data
and IT infrastructure. This type of attack has dramatically changed
the attack surface and the indicator of compromises of the typical
organization in the past few years, with more suppliers and service
providers touching sensitive data than ever before.

3
Cyber Attack initiated through a third (3rd) party supplier

(2) Details of the incident.

This attack targeted a product of Solar winds called Orion. Orion is
used to monitor network infrastructure of an organization.

A) Chronological overview of the

cybersecurity breach.

Chronological overview of the breech is as following.

 Establishment of the foothold in Software publishing
infrastructure of Solar winds. (September 2019)
 Modification in the Software updates of the Orion. (November
2019)
 Establishment of Command and Control Infrastructure (February
2020)
 Installation of remote access tool malware in Orion updates.
(March 2020)
 Installation of Trojan into the victim systems and creation of a
backdoor.
 Communication with command and control infrastructure (April
2020)
 Gaining access to high value target and installation of exploit
tool.

4
Cyber Attack initiated through a third (3rd) party supplier

 Gaining access of emails, credentials and sensitive documents

form Microsoft 365 accounts as of Orion trusted 3rd party
supplier.
 Masquerading the Microsoft Azure Active Directory services and
many other services.
 Compromising the Amazon, Go daddy, Microsoft accounts and
services as a result of the third party supplier.

B) Explain what occurred.

This occurrence of this incident started back in September 2019,

when a Russian state sponsored hacker group used advanced
presistance threat technology on a product of a third party supplier
company called Solar winds. Solar winds is a third party supplier of
many multinational IT and Ecommerce companies such as Microsoft,
Amazon and oracle etc. The objective of the attackers was to used a
third party supplier of Microsoft and other companies to get access
of the Microsoft accounts indirectly and then steals the valuable and
sensitive information about the high value targets and to steal the
data including credentials and sensitive documents. As Solar winds
is also a third party supplier of an many government and military
agencies in USA. So it was and easy target for those adversaries to
attack the valuable Microsoft account indirectly through a supplier.
In September 2019, there attackers started their operations and
initiate the first phase to gain access of the software updates
distribution infrastructure of Solar Winds. Through this

5
Cyber Attack initiated through a third (3rd) party supplier

infrastructure Solar Winds deliver and distribute the system updates

to its product worldwide.
After when they were succeeded to gain initial access to the updates
distributed system of Solar winds.
Attacker choose a product called Orion that is been used by many
costumers worldwide. Orion is a network monitoring, managing and
automation tool.
In October 2019, attackers started modification in the updates of
Orion. After the effective modifications in softwares updates, they
started establishing the command and control infrastructure for the
updated malicious deliveries of this rogue Orion updates.
In March 2020 the attackers started to integrate the back door inside
the Orion updates. They installed the remote access tool torjan
malware. So its works when a costumer update its Orion. The Torjan
payload will be executed and backdoor is installed into victims
system. It goes to sleep for 12 to 14 days to avoid detection. After 14
days. Its start its initial communication with command and control
infrastructure. The backdoor communications were designed to
replicate mimic legitimate Solar Winds traffic and communication
with one of any servers would alert the attackers of a successful
malware execution and deployment and offer the attackers a back
door. The attackers utilize this backdoor in order to exploit the
system further.
In April 2020 this malware started its communication with
command-and-control servers of established in different continents,
initially from North America and Europe.

6
Cyber Attack initiated through a third (3rd) party supplier

The attackers gained access of the victims systems and then

exploited them. They found the high value target first I.e
Government or military personality. They installed the exploitation
tool like cobalt strike. As we know that Orion is a trusted third party
application to different high privileged accounts like Microsoft
office 365, Microsoft Azure, Amazon web services accounts, go
daddy and many more so they gained access to these accounts via
stealing the credentials with the help of back door exploits. The
steals the high value information and sensitive documents from these
associated accounts. The attacker also targeted amazon and go daddy
accounts via command and control infrastructure.

C) Type of cybersecurity incident.

It was supply chain cyber incident comprised of different sub attacks.
Installation of backdoor through Malware Torjan and then
exploitation of of the victim system to take over the accounts by
stealing then credentials and performing a data breech to the
sensitive documents and information.

D) What data was stolen.

The main target of the attackers was the credentials,the information
residing in the high value victims accounts such as sensitive
documents.

7
Cyber Attack initiated through a third (3rd) party supplier

E) Organization’s response.
In December 2020, Microsoft detected some anomalies in his system
response. After initial investigation they found the compromised
accounts and data breech. They found some similarities in all the
compromised accounts as they were showing the same signature of
attack. The Digital forensics teams found that this attack came from
Orion a software product of solar winds. As these account were
associated with the Orion as of a third party software in the supply
chain. Solar Winds was informed by this attack that used there
product as a main carrier to penetrate other valuable targets.
Solar Winds responded to this Attack swiftly and appropriately.
They started there response by clearing their systems that were
infected of the malicious software within few days of notification.
They clear the infection by disconnecting, patching, or applying a
mitigation scripts to their Infrastructure. The following remediation
steps were taken by all the regulated companies to mitigate and clear
risks associated with the Solar Winds Attack included,

Evaluation of system integrity.

 General audit logs for indicators of compromise.
 Isolation of infected system and avoid the infection to spreading
to other networks segments.
 Patching of vulnerable software to reinforce the integrity.
 Upgrading the security by eliminating the weak points in systems
and softwares.

8
Cyber Attack initiated through a third (3rd) party supplier

 Enhancing the SOPs and checklist of update process.

 Blocking the internet access to the infected systems.
 Isolation of affected systems by blocking specific DNS domains,
based on guidance by incident respond teams and digital
forensics agencies.
 Removing and decommissioning of Orion from product list.
 Replacement of Orion with another monitored product.
While all of these remediation steps allowed DFIR entities to
address the risks associated with the Solar Winds Attack once
identified, DFS found that several companies could have addressed
the risks like Solar Winds Attack by implementing a mature patch
management system to the infrastructure.

9
Cyber Attack initiated through a third (3rd) party supplier

(3) Impact(s) on the organization (~500

words)

a) Provide details of how the

responsibilities were divided,
concerning supply chain management
in the incident.
Cybersecurity risk are always mitigated by implementing security
practices, policies, certifications, deploying security fabrics and
compliances at the basic to advanced level. This cannot be removed
permanently. In case of solar Winds they deploy regulatory
frameworks, such as those compliances specific about financial
sector or healthcare, they provide third-party risk testing, or have
some standards that supply vendors need to comply with. In PCI
there’s a software quality component to test the quality of mobile
payment components. These are related to the compliance Payment
Card Industry Data Security Standard (PCI-DSS).

There are many more general frameworks, such as the ISO 9001,
Capability Maturity Model (CMM), SOC 2, Common Criteria etc.
These complainces are best on well researched and well assessed
best practices.
In case of Solar winds of course they were not well prepared for this
kind of security incident. After this incident they admitted that there
systems weren’t able to catch the malware and malicious events

10
Cyber Attack initiated through a third (3rd) party supplier

inside the SolarWinds update infrastructure. Not only Solar winds

but Amazon and Microsoft too, they both missed it, as well. It’s
difficult to scan updates for suspicious behavior is due to reason
because the update is designed to change the way that software
behaves.
After this incident Microsoft and Amazon developed an
infrastructure specially deals with the third party suppliers and third
party apps. They make access control policies to deal with the
privileges of the third party apps in the supply chain. It deals with
anomaly based events with the connected products that use the
Microsoft as a authentication and registration.
Supply chain attacks are rare than attacks against known
vulnerabilities but also more severe and critical. The risk of
exploitation of an unpatched vulnerability in a system or a security
update that hasn’t been implemented greatly outweighs the risk of a
supply chain attack.

11
Cyber Attack initiated through a third (3rd) party supplier

b) Provide a summary of how the

cybersecurity breach affected the
organization (e.g., financial
impact, reputational cost, litigation, etc.).
After a cyber incident, usually organization faces financial,
reputational and legal losses. In case of solar winds estimated losses
are $90,000,000, this includes DFIR cost for companies who were
impacted by this incident and cyber insurance coverage.
In the aftermath of this incident Solar wind faced a huge reputational
damage. Orion has lose all of his customer after the news of this
incident spreaded over the world. Resultantly Solar wind has
discontinued this product.
SolarWinds victims from this attack grown in the following months
and uncertainty was spreaded abroad. Among the clients of Solar
winds there are many organizations affected by this incident include
Federal government agencies, who typically do not buy insurance
for most risks, including cyber so these estimates are not available.
Many organizations has cancelled the MOUs and the project with
Solar winds as they lost the trust and credibility. Microsoft and other
companies also faced consequences after this incident.

12
Cyber Attack initiated through a third (3rd) party supplier

(4) Conclusion.
According to SolarWinds the malware insertion into its software
product Orion was performed by a foreign nation. Russian. A state
sponsored campaign was launched against IT companies in America
and these were state sponsored hackers were suspected to be
responsible for this incident.
This attack demonstrates the international impact that an attack on
just one company can initiate a chain of events and aftermaths that
can leads to some serious data breeches. When the targeted company
has access to other company’s data especially as when they are
trusted third party supplier, the results can be catastrophic. In the
SolarWinds case, the involvement of national state hackers means
that such vast expertise and funding is also involved, and this
combination led to the compromise of substantial amounts of data
from some of the most important organization and departments
throughout the world.
After instigation U.S. officials stated that the SVR or Cozy Bear
these two groups are responsible for this incident.
After this incident the supply chain management found high
attention in every organization.
Supply chain management is very important in the present landscape
of cyber security. Things are evolving and adversaries are trying
badly to find new way to compromise a system.
The National Cyber Security Center provide guidance on supply
chain security management.

13
Cyber Attack initiated through a third (3rd) party supplier

We need to understand the risk associated with supply chain

management and need to find a way to mitigate them.
We need to determine whether or not our suppliers and their sub-
contractors, sub suppliers have provided the security requirements
asked of them. We need to make sure that those security
requirements are running properly.
We need to understand what type of access your suppliers have to
your systems, premises and information and how you will control it.
How much privilege he has inside the system. Our access control
polices are effective or not. We need to understand how our
immediate suppliers has control access to and use of our information
and assets including systems, IT infrastructure and premises.
We need to make sure that we have deployed the best practices and
polices are deployed in our organization or not. The compliances
like PCI DSS, HIPPA, GDPR, FESMA etc are effective or not. We
need to make sure that there is not fatal vulnerabilities in our system
and our security fabrics is staying strong without any loop whole.
Risks in the supply chain can take many forms and features. For
example, a third party supplier may fail to adequately secure their
systems and failed to deploy the proper security fabrics and best
practices. The supplier may have a malicious insider that can
intentionally compromise the system to breech the information, or
could be a supplier's members of the staff that may fail to properly
handle or manage the organizations information unintentionally.
This can be the reason that the organization has poorly
communicated its security needs to the supplier so that supplier does
not act properly and does the wrong things, or the supplier may

14
Cyber Attack initiated through a third (3rd) party supplier

intentionally seek to undermine your systems through malicious

action.
Information you can use to understand these security risks.
Common cyber attacks.
Insider data collection report.
Insider risk assessment.
CPNI Holistic Management of Employee Risk.
Above is the descriptions of four well known cyber attacks on
supply chains. In order to get best understanding you should watch
out for the routine threats advisories published by NCSC and CPNI.

15
Cyber Attack initiated through a third (3rd) party supplier

(5) References
 https://cyber.uk/areas-of-cyber-security/supply-chain-attacks-
case-study/
 https://www.csoonline.com/article/3191947/supply-chain-
attacks-show-why-you-should-be-wary-of-third-party-
providers.html
 https://www.businessinsider.com/solarwinds-hack-explained-
government-agencies-cyber-security-2020-12
 https://www.arnoldporter.com/en/perspectives/advisories/2021/0
6/lessons-learned-from-the-solarwinds-cyberattack
 https://www.bitsight.com/blog/the-financial-impact-of-
solarwinds-a-cyber-catastrophe-but-insurance-disaster-avoided

16