The SolarWinds hack is so complex and expansive that it’s even challenging to summarize. The Cybersecurity and Infrastructure Security Agency (CISA) reports an advanced persistent threat (APT) actor compromised government agencies, infrastructure and private companies in March 2020 and possibly earlier. The CISA alert on the attack states: “This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
One of the targets of the attack is the SolarWinds Orion platform, a tool that’s used to monitor on-premises and cloud solutions and often has administrative privileges to its users’ systems. The attack, sometimes referred to as Solorigate, delivered Sunburst malware, inserted into Orion using Sunspot.
Although SolarWinds’ name has become associated with the attack, CISA points out that some targets of the attack didn’t use Orion or used Orion, but there is no evidence that their solution was exploited. Security Week reports that hackers attacked specific government agencies and high-profile companies with a different strategy, delivering Teardrop malware with the purpose of deploying a version of Cobalt Strike’s Beacon payload.
As the investigation continued, Symantec found an additional piece of malware used in the attack: Raindrop (Backdoor.Raindrop), similar to Teardrop but used for spreading across victims’ networks where at least one computer had been infected by Sunburst.
In testimony to the U.S. Senate on Feb. 23, 2021, executives from tech companies impacted by the attack shared information– at least what’s known so far. Microsoft president Brad Smith commented that researchers at his company believe at least 1,000 engineers were involved in the attack that impacted at least nine government agencies and 100 private companies, many of which were tech companies with access to numerous user systems.
Are You a Victim of the SolarWinds Hack?
Since the December 2020 announcement of the SolarWinds hack, investigators have uncovered information that can help you determine whether your business and your customers are included in the growing number of victims. You can start with the Orion versions that are affected and vulnerability mitigation.
The next step is to take cybersecurity more seriously. Regardless of whether you determine your systems were compromised, the SolarWinds hack should mark a pivotal moment in your organization’s approach to defending your infrastructure, systems, and data.
In addition to installing security solutions that provide protection across all code, coding tools, email, cloud applications, endpoints, identities, and more, you should adopt zero trust architecture. With zero trust, you don’t put all of your faith in technologies. Instead, your systems don’t trust any users and require that they verify their identities and authorize that they have access to the network, application or data they’re trying to access.
Furthermore, you need to insist on verification every time. Therefore, a hacker posing as an employee after they stole an employee’s logins—or a nation-state actor trying to capitalize after compromising a vendor’s system—couldn’t access your systems because they couldn’t identify themselves as authorized users. User validation becomes much harder if you require multifactor authentication, which can include the device used, time-sensitive credentials, biometric or behavior authentication, or other verification methods before approving access.
Are You Finished Being a Victim?
You’ve heard for years that cyberattacks were growing more sophisticated and larger in scope. If you doubted that fact, the SolarWinds hack should be proof enough it’s true, especially if it impacted your business or hit too close to home.
Refresh your risk assessment, paying close attention to vendors and service providers you use, consider zero-trust policies, and take any other necessary steps to minimize the chances your business will be a victim in the future.