Did the SolarWinds Hack Affect Your Vendors?
2020 was the year of Murphy’s Law: if something could go wrong, it did. In the case of the SolarWinds Orion platform hack, things went spectacularly wrong on the scale of Fourth of July fireworks.
The last two months have involved a lot of scrambling for companies impacted by the breach. Privva is here to help our clients understand their risk level and take action to safeguard their networks.
So with that in mind, let’s answer the million-dollar question: did the SolarWinds hack affect your vendors?
What is SolarWinds?
SolarWinds is an American company based in Austin, Texas that develops software to help businesses manage their systems, networks, and information technology infrastructure.
While the company is not widely known to the general public, it is widely used. SolarWinds claims it has more than 300,000 clients, including major U.S. government agencies and a vast majority of Fortune 500 companies. You might recognize some of its clients:
Department of Defense
Department of Homeland Security
National Institutes of Health
Department of Justice
Blue Cross Blue Shield
The New York Times
It was all business as usual. The SolarWinds got hacked.
What was the SolarWinds Hack?
In a December 14 filing with the U.S. Securities and Exchange Commission (SEC), SolarWinds stated that roughly 33,000 of its 300,000 customers used the Orion platform attacked in the breach, and that fewer than 18,000 of those customers had a platform version of the Orion product containing malicious code.
So what happened?
Hackers who appear to be associated with the hacking group Cozy Bear, a.k.a. Advanced Persistent Threat (APT) group 29 (a branch of the SVR arm of the Russian intelligence services) got inside SolarWinds’ development operations. Once there, they inserted malware into an Orion platform plugin called SolarWinds.Orion.Core.BusinessLayer.dll distributed by SolarWinds in March.
After the update (and malware) was installed, the malware “phoned home” to the group’s command-and-control network, allowing the group to enter the network. And since the update was released and signed by SolarWinds itself, few companies knew their software was compromised until now.
How Bad Is It?
In short? It’s bad. Really bad.
According to FireEye, the backdoor in the plugin (dubbed SUNBURST), stays dormant for two weeks before retrieving and executing commands, including “Jobs” which allow the malware to execute files transfer files, profile the system, disable system services, and even reboot the machine, all while masking its activity under the Orion Improvement Program (OIP) protocol and storing its reconnaissance within legitimate plugin files. In other words, it sweeps an entire system while blending in with legitimate SolarWinds activity.
That’s a problem, given that the Orion platform is a far more valuable hack than any individual machine on a network. The software is designed to centralize cybersecurity for all network hosts in one system, which means the malware could use the software to hopscotch between any network host.
Who is Vulnerable?
Here’s the good news: despite how widespread SolarWinds is and despite the attack’s capacity to spread throughout networks, not all SolarWinds customers were impacted.
The only customers at risk are the ones who used the Orion platform, and then only the customers who loaded the malware-infected update.
That said, even if your vendors use Orion and even if they installed the update, there is a possibility they were not compromised. Because SolarWinds’ Orion clients include major U.S. government agencies and Fortune 500 companies, the hackers were most likely to target high-value customers first and work their way down the list while they were still unnoticed.
However, that does not mean you should assume you are free of harm. Now that the attack was discovered, hackers are most likely taking steps to cover their tracks–including installing other back doors to get back in a compromised system later.
In summary: if your vendors use Orion, your safest bet is to assume they may be compromised and plan accordingly.
How to Avoid Similar Attacks in the Future
First and foremost, SolarWinds recommends all Orion platform customers to upgrade to version 2020.2.1 HF as soon as possible. The company also released additional updates to ensure customers are running a clean version of the product with added security enhancements.
That said, there are lessons to be learned from the attack and additional security protocols your team can take to avoid similar issues in the future.
First, keep in mind that the SolarWinds hack was essentially a supply chain hack. That’s important to know because when you select a SaaS solution like SolarWinds, you decide what data you send to the provider, which means you don’t need to install complex local software. The Orion platform is not Saas–it’s an on-premises product requiring local resources to install and manage.
In addition, complex on-premises systems like Orion require additional software on your network, which requires high-level permissions or highly privileged accounts to allow the software to run. SaaS solutions do not.
The tricky part comes from patches. Most of the time, breaches like this happen because customers were not diligent enough in updating their programs and thus left themselves vulnerable to a bug. In this case, the most vulnerable customers were actually the ones who were most diligent about installing updates. And as for SolarWinds itself, the company stated in its SEC filing that the original compromise most likely happened due to an employee’s compromised Office 365 account.
At the end of the day, this is still one of the most classic hacks: a social engineering hack. The best way to combat these is rigorous security training to raise awareness.
However, the issue for diligent Orion customers was the opposite of carelessness. In that case, you need a robust third-party risk management program to manage vendor access at all levels.
That’s where we come in.
The Smarter Approach to Risk Management
When your company relies on so many solutions to make your business run, it’s hard to know what questions to ask at the right moment. Our job is to make vendor risk management easier by helping you ask the right questions.
If you’re ready to change the way you handle risk management, click here to schedule a demo and take back control of your security.