Search Options
Skip to main content (Press Enter).
Sign In
Skip auxiliary navigation (Press Enter).
Skip main navigation (Press Enter).
Toggle navigation
Search Options
Communities
General Discussion
My Communities
Explore All Communities
Products
Solutions
Services
Developers
Champions Corner
Customer Stories
Insights
Customer Advocacy Program
Badge Challenges
Resources
Resource Library
Hitachi University
Product Documentation
Product Downloads
Partners Portal
How To
Get Started
Earn Points and Badges
FAQs
Start a Discussion
Champions Corner
Blog Viewer
Blogs
The SolarWinds Hack
By
Hubert Yoshida
posted
03-05-2021 18:34
2
Like
In January, the United States went through a tremendous time of upheaval, with the soaring number of deaths from the pandemic, political unrest, and racial discord. While all this was happening, we now learn that the United Stated suffered the greatest cyberattack in history which had been happening for nearly a year, and whose full effects are not yet understood.
A group of hackers, likely from a foreign government, had gotten into a network management company called SolarWinds and infiltrated its customers’ networks. This access was then used to breach everything from Microsoft to US government agencies, including the US Treasury and departments of Homeland Security, State, Defense, and Commerce. SolarWinds is a network management software product that sits on your network, and it lets you know how things are working and helps the network run smoothly. It is used by a large percentage of the biggest companies in the United States and the biggest government agencies in the United States.
Somehow the attackers got into the code-building environment of SolarWinds, where they were able to insert a backdoor into SolarWinds’ Orion network management software code through a maintenance update. They did it in such a way that it only happens when the code is being compiled at the last minute. So, it was almost impossible to find, but once they were in there, anybody who downloaded at least two recent updates of the Orion software downloaded this backdoor. Once inside the attackers could connect with the code and deploy additional code for further exploitation. The hacked code was downloaded by 18,000 users and at least 50 important customers, including the U.S. State Department, Homeland Security, Treasury and other major parts of the Government were exposed.
This is known as a supply chain attack where someone infiltrates your system through an outside provider who has access to your system and or data. In this case the outside provider was SolarWinds. SolarWinds, itself, may have been infiltrated by an outside provider. Today, with Dev Ops and Open source, the opportunity for supply chain attacks has increased. Providers of outside code are now having to provide digital certificates to authenticate their code.
Although the government and cyber sophisticated companies like Microsoft and Cisco had extensive cyber detection tools, the SolarWinds hack went undetected for more than a year. (It didn’t help that the U.S. Cyber Security Chief, Christopher Krebs was fired during the U.S. elections in November.) FireEye, a cyber security company, was the first to detect the hack when it noticed that one of its employees had two phone numbers for its two factor authentications where an employee is called back on his cell phone to authenticate his access. When the employee responded that he only registered one phone number, FireEye was alerted. They could have passed this off as a false positive, but to their credit they took this as a serious breach and dug into the code, tearing it apart, until it found the hacked code in SolarWinds’ Orion network software.
How was SolarWinds, a security company, hacked in the first place? There are
some reports
that it was due to a weak password that was used by a SolarWinds intern and posted on his GitHub. This password was identified as “solarwinds123”. I find this hard to believe since this violates all the basic rules for passwords and should have been rejected by the system. Also, most systems today use two factor authentication which was how this was detected by FireEye.
SolarWinds has responded with a
Security Advisory
, listing what modules are affected and what action should be taken. However, this is like closing the barn door after the horses are gone. We don’t know what secondary code was injected without tearing the whole network apart and starting from scratch.
So far, the effects have been about espionage, the loss of secrets, and knowledge of source code that could be exploited in the future. No one has died and no infrastructure has been destroyed – yet. Although that can easily be done with the addition of a few lines of code. The
NotPetya cyberattacks on the Ukraine
in 2017 are a good example of how physically destructive these types of attack can be, where power is shut off, and banking systems do not work.
Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technology, has taken the lead on this investigation and said the US intelligence community is still looking at who is responsible. President Joe Biden's administration is expected to respond in the coming weeks. assessing what was hacked will take months and may never to fully determined.
There are several things we need to consider based on what we know so far:
Two factor authentication should be implemented along with passwords and the use of strong passwords should be enforced.
Supply Chain hacks are increasing and measures must be taken to authenticate third party code.
CSO Online published a blog
on some ways to guard against Supply Chain attacks.
Supply Chain Attacks are likely to occur in widely used software since it can affect more users.
Avoid Automating updates to sensitive code. A patch management system should require third-party risk testing or have some standards that vendors need to comply with.
CSO Online also suggests that this is the time to double down on “Least Privilege”. The
principle of least privilege
is the idea that any user, program, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database doesn’t need admin rights. Edward Snowden was able to leak millions of NSA files because he had admin privileges, though his highest-level task was creating database backups.
For a quick over view of supply chain attacks see
Supply Chain Attack on Wikipedia.
#Blog
#Hu'sPlace
2 comments
5 views
Related Content
Ransomware Attack Against Critical Infrastructure
Hubert Yoshida
Added 05-11-2021
Blog Entry
Cyber Security is Everyone’s Responsibility
Hubert Yoshida
Added 06-02-2021
Blog Entry
Ransomware Temporarily Disrupted – But More Action is Required
Hubert Yoshida
Added 05-18-2021
Blog Entry
A Valuable Lesson In Cyber Warfare
Hubert Yoshida
Added 05-25-2021
Blog Entry
The Escalating Cost of Ransomware
Hubert Yoshida
Added 07-07-2021
Blog Entry
Permalink
Comments
Chayan Sarkar
05-02-2022 02:06
Great write-up
Dipta Kundu
04-27-2022 02:48
Great Post
© Hitachi Vantara LLC 2023. All Rights Reserved.
Powered by Higher Logic