Federal agencies and global organizations were compromised in a long-term, state-sponsored cyberattack. The threat actors conducted a supply chain attack using compromised SolarWinds software. Here’s what happened, and how to stay safe.
Trojan software carries a hidden malicious payload. You think you are installing one application but in fact, there are stowaways in the installation routine that get installed at the same time. Or the application you are installing has itself been compromised and now harbors malicious code.
A recent example is a bar code scanner app that was removed from the Google Play app store. The bar code scanner had been published for several years and had a healthy installed base of 10 million users. It was sold to a new owner, Ukraine-based “The Space Team”, at the end of 2020.
Following an update of the app, users were plagued by adverts. Their default browser would open on its own. Links and buttons to download and install further apps would cascade over their screen. The new owners had modified the code of the scanner app to include malware. The app was trusted by those who already had it installed, so an update would raise no concerns. But the update they expected to provide bug fixes and new features actually compromised their handset. The hitherto innocent bar code scanner was now a Trojan.
The bar code scanner app had been singled out as a good purchase by the threat actors. Its strong user base made it a convenient transport mechanism to drop their malware on up to 10 million smartphones. They bought the app, modified its code, and sent it out as an update. Presumably, the cost of purchasing the app was viewed as a running cost of the scam, to be recouped from their criminal profits. To the threat actors, it was probably a cheap and easy way to get access to 10 million smartphones.
The SolarWinds Breach
The SolarWinds hack is similar but in an altogether different league. SolarWinds create and sell monitoring and management software for corporate networks. To provide the detailed, granular information that system administrators require to maintain the effectiveness of the IT resources they are responsible for, the SolarWinds software requires extremely privileged access rights to the network.
As with the bar code scanner, the SolarWinds software wasn’t the target—it was just the delivery mechanism. SolarWinds Orion is a full IT stack monitoring and reporting tool. It was compromised by threat actors. They covertly modified a Dynamic Link Library (DLL) called
SolarWinds.Orion.Core.BusinessLayer.dll. The tainted DLL was included in SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. These updates were issued between March and June 2020. Just like the bar code scanner app, the updates were used to distribute the malware to existing customers. The malware has been named SUNBURST by cyber security researchers at FireEye.
The sophistication of the initial breach of SolarWinds’ systems, the complexity of the Trojan code, the exploitation of a zero-day vulnerability, and the technically-demanding methods of avoiding detection post-compromise all point to the perpetrators being a state-sponsored Advanced Persistent Threat group.
This is further borne out when you look at the list of victims. They include senior U.S. agencies and federal departments, operators within the critical infrastructure of the U.S., global organizations, and private companies. The U.S. Treasury, the Department of Homeland Security, the Department of State, the Department of Defence, and the Department of Commerce were all victims. In all, around 18,000 installations fell foul of the tainted updates.
Once the infected updates are applied to the customers’ networks, the malware installs itself and lies dormant for about two weeks. It then makes HHTP requests to the threat actors’ servers to retrieve commands, which it then acts upon. It provides a backdoor for the threat actors right into the infected networks.
The network traffic generated by the malware is disguised as Orion Improvement Program (OIP) protocol traffic. This helps the malware to remain undetected. It is also aware of many types of antivirus, antimalware, and other endpoint protection software and it can dodge and evade them.
However, one of SolarWinds’ customers was FireEye, a well-known cyber security company. When proprietary software assets were stolen from FireEye they started an investigation that discovered the malware and the link back to SolarWinds.
This is a classic supply-chain attack. Instead of wondering how to infect all the target organizations, the threat actors attacked one of their common suppliers, sat back, and waited for the normal update process to take place.
Assessing Your Supply chain
To properly assess the risk of a supply chain attack you need to understand your supply chain thoroughly. That means mapping it out. Pay special attention to suppliers of network hardware and software. If you use an out-sourced managed services provider (MSP) you need to be aware that they are high-value targets to the cybercriminals. If they can compromise an MSP, they have the keys to the kingdom for all of the MSP’s customers.
Be mindful of any supplier who routinely sends service or maintenance personnel to your premises. If they are maintaining any kind of equipment that connects to your network, the chances are the service engineer will connect to your network when they are on site. If there laptop has been compromised because their employer’s network has been targeted, you’ll be infected. And you might not be the cybercriminal’s target. Maybe it’s one of that provider’s other customers. But with a supply chain attack, many other companies are caught in the cross-fire and suffer as collateral damage. Whether you were the target or not doesn’t ease the blow if you are compromised.
Once you’ve identified those suppliers that directly or indirectly touch your network, you can make a risk assessment. Taking each supplier in turn, how likely is it that they would be useful in a supply chain attack. What would the cybercriminals gain? Who are the provider’s other customers? Are any of them attractive targets to a state-sponsored APT group? Intelligence agencies, anything to do with the military, critical infrastructure, or government departments are high-risk targets that an APT might try to snare with a supply chain attack.
The flip side is, supply contracts from intelligence agencies, the military, and the government are only awarded to suppliers who can demonstrate that they operate securely and have effective cyber security. In exceptional circumstances—and especially when zero-day vulnerabilities are involved—any organization can be breached. That’s what happened to SolarWinds.
Discuss your aims and concerns with your suppliers. Can they evidence any certification or standards compliance regarding cyber security? Will they reveal their record of cyber security incidents and incident handling? How can you co-operate to ensure secure operation in your ongoing trading relationships?
Auditing new suppliers should become standard procedure, and at least annual auditing for existing suppliers. If they are too far away to travel to at least send them a set of questions and ask them to complete them and make an attestation that what they say is true.
As well as protecting yourself from a supply chain attack, you need to consider the risk of your supply chain collapsing due to cyberattack—whether you are directly involved in the attack or not. If a critical section of your supply chain collapses you face an emergency of a different kind. Can you get all of your critical supplies from other providers? What can you do about niche products or services that you cannot easily or quickly obtain from elsewhere?
Instead of a single, linear supply chain for critical or strategic supplies, it may be possible to establish several parallel supply lines. If one breaks, the others can continue. This doesn’t increase the security but it does increase the robustness and durability of your supply chain.
Other Steps To Take
If you are a SolarWinds customer you should review the SolarWinds security advisory and take any necessary action. Also, see the Department of Homeland Security emergency directive and follow any applicable guidance.
The SUNBURST malware used a technique that allowed it to access or generate authentication certificates so that it could access protected services. Trimarc Security has shared a Powershell script that will scan a single-domain Active Directory forest and report on any weaknesses it finds.