HealthyByte: Bridge That Gap

View Original

What you need to know about the SolarWinds Hack.


Let's dive into a topic which could possibly be one of the largest cybersecurity breaches in the history of the US. A little history into SolarWinds and the services they offer. SolarWinds is a SAAS based company which helps other big companies monitor, trace and log the performance of their corporate network. These services are important for big companies because it allows them to make sure the software they write and the applications they deploy run smoothly even during peak operating times and under heavy load or traffic. There are a number of instances in these companies where network performance monitoring, tracing, logging, etc was very important, and this is what lead to the massive growth of SolarWinds.

It was not long before they started acquiring companies with adjacent products, expanding and growing their customer base including the US government all the way to the Fortune 500 companies. If you look at the hack itself, it makes so much sense. Instead of targeting a particular agency or company, the threat actors went after SolarWinds, the company that sells software to these larger agencies. This is formally known as a supply chain attack.

A supply chain attack targets vendors. For example, application developers who deploy code to a wide array of companies and inject malware into their app updates. These updates are digitally signed by the originating company (the source of trust), so the recipient does not notice anything wrong when they are updating their apps. What makes it even more harmful is that as a service consumer, the recipient actually is doing the right thing by updating the application and keeping it up to date. So if you compromise just one company you can compromise them all.

But hacking into one of these companies is not as easy as it sounds. After-all, for SolarWinds software is their bread and butter. Such a highly skilled affair could only be executed with next to infinite technological resources, money, skills and only a nation state (an Advanced persistent threat) could carry out such an attack. The hack is now referred to as "SunBurst". The code for this hack has been made public now to alert the cybersecurity community and create a fix for it.

The hack in itself is programmed to sit entirely dormant for two weeks before you even start noticing something. The next piece of engineering brilliance is that the hack is also aware of the environment it's around. Before doing anything it checks that the target system it has infected is not running any of the security related software programs. Once it actually starts stealing data, it does not copy mass amounts of data and send them off to the threat actor, but instead small amounts of data are stolen at a time and the stolen data is encrypted and then wrapped within legitimate data that later looks like normal analytics traffic. So whenever this analytics data leaves a company's network, nobody would notice it because it looked like normal traffic.

This hack was originally said to be deployed during March of 2020 but could be even earlier. So now that they have the data what was their purpose you ask? Such a hack generally falls under two categories. The first one being espionage and the second being sabotage. Espionage is basically reconnaissance and information gathering. Sabotage is where it gets dangerous because it can disable critical infrastructure, exploit information, cause billions of dollars in damages, etc. Luckily, evidence points out that the SolarWinds hack falls under espionage.

In this case, if you’re selling software to a number of companies, one needs to build a strong culture around cybersecurity from the bottom up and at the earliest stage possible. I hope this hack leads to more defensive measures taken to protect systems.

If you want to take a closer look & check out more details on the SolarWinds hack, here are some references :

SolarWinds Security Advisory

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers - Microsoft Security

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor