By now, you have probably heard about the massive cyberattack involving SolarWinds that slammed the United States in 2020. What you might not have heard is some of the dramatic but not unjustified comparisons that have been drawn to it: Steven J. Vaughan-Nichols with ZDNet called it the “Pearl Harbor of IT,” and Gilman Louie writing for The Hill called it “a cyber 9/11.”
How could a simple cyber incident possibly be comparable to two of the worst attacks on American soil in history? No one was killed, after all. Isn’t this all just a matter of some “computer people” fighting over some lines of code? Well, no. When you hear some of the details, you will begin to understand why the SolarWinds hack is such a big deal, even if the media is largely focused on other issues of the day. It all comes down to the scale of the attack and the long-lasting implications it will have on cybersecurity in the country.
The SolarWinds Hack: What Happened?
SolarWinds, if you’re unfamiliar, is a major US information technology firm that provides software to government agencies and big corporations. One of its software products, Orion, is used by some 33,000 SolarWinds customers to manage their IT resources.
Sometime between October 2019 and March 2020, Russian hackers successfully compromised Orion. They did so by hacking into a system used to prepare updates for the software. Unbeknownst to SolarWinds or its customers, these hackers uploaded malicious code to otherwise legitimate updates to Orion between March and June 2020, according to the SEC.
Releasing updates to products is nothing new for software providers and developers. They do this to fix bugs, add new features, and patch vulnerabilities. Most customers receiving the updates install them quickly—as they should. A ServiceNow study from 2019 found that a majority of breaches are the result of unapplied security patches.
Between March and June 2020, approximately 18,000 unsuspecting SolarWinds customers installed the tainted updates to Orion, believing them to be routine, beneficial software patches. In reality, the patches left them vulnerable to hackers. The code, when installed, created backdoors to customers’ IT systems, allowing hackers to install even more malware and spyware.
In total, around 250 federal agencies and businesses are believed to have been affected, including:
- The Pentagon (and, by extension, the Department of Defense)
- The Department of Homeland Security
- The State Department
- The National Nuclear Security Administration
- The National Institute of Health
- The Department of the Treasury
- The Department of Commerce
- The Department of Energy
- State and local governments
- Tech companies like Microsoft, Cisco, FireEye, Intel, Nvidia, VMWare, and Belkin
- California Department of State Hospitals
- Kent University
The attack was sophisticated, stealthy, and went undetected for months. According to the Wall Street Journal, some victims may never know if they were hacked or not—a terrifying prospect to say the least. It is also difficult to determine exactly what the hackers made off with. Federal agencies and companies are conducting large–scale investigations to determine, among other things:
- If they hackers are still inside, and if they are, how to remove them
- What was viewed, changed, stolen, deleted, or exploited
- If any of their partners or customers were affected as a result
This last point is particularly scary and helps bring the scale of the attack into focus. Take Microsoft for instance. They are a SolarWinds customer. On December 17, Microsoft acknowledged that it found indications that malware had been uploaded to its systems. According to Reuters, “Microsoft’s own products were then used to further the attacks on others,” though Microsoft denied the claim. Specifically, they wrote in a December 31 blog that they had “found no evidence of access to production services or customer data.”
Despite this, Microsoft acknowledged in the same blog that they detected “unusual activity with a small number of internal accounts” including one which was “used to view source code in a number of source code repositories.” Source code is the secret, proprietary code that makes software products tick. In Microsoft’s case, this means the Windows operating system as well as Office 365 products. There are more than 1 billion devices that use Windows 10, according to Microsoft, and another 1.2 billion use Microsoft Office.
Even assuming that Microsoft is correct and no customer data or products were affected, the underlying idea of continued spread is viable. Once hackers used Orion updates to gain access to SolarWinds customers, they could turn around and do the same thing for that company’s customers (without detection, if they are crafty enough). IT service companies often have broad access to their customers’ networks. It doesn’t take a lot of imagination to see how things could quickly spiral out of control; this one malicious hack spread like wildfire first to SolarWinds’ customers and next to customers of SolarWinds’ customers. This, you’ll remember, includes the federal government.
For their part, SolarWinds and Microsoft have teamed up to contain the spread, with the latter apparently taking control of the hackers’ infrastructure to stop them dead in their tracks. SolarWinds is also cooperating with the FBI, the U.S. intelligence community, and other government agencies, according to the SEC. Though to be fair though, a New York Times report notes that SolarWinds ignored basic security practices and cut costs by moving software development to Eastern Europe.
What Does It All Mean?
In the words of CNN contributors Paul Leblanc and Jeremy Herb, “it is already becoming clear that this marks one of the most significant breaches of the US government in years.” This comment comes despite the fact that we may never know the full extent of this attack. Why? First of all, the scale is massive, making it inherently hard and complex to investigate. Next, there’s the fact that the foreign intelligence personnel who carried out this attack are skilled hackers and “incredibly hard to kick out of networks,” according to cybersecurity expert Dmitri Alperovitch. As mentioned before, there’s also the concern that some victims may never even know if they were hacked or not. Complicating this is the fact that small companies with fewer resources may struggle to tell whether they remain vulnerable.
The Wall Street Journal reports that big companies that keep detailed logs of activity on their systems should be able to tell if backdoors into their networks are used or not. But for others, performing this level of scrutiny “will be a difficult and expensive task that many are likely to ignore,” meaning the hackers could stick around in some networks indefinitely.
In the opinion of Gilman Louie, the SolarWinds hack also exposes our organizational faults. The intelligence functions of the Department of Homeland Security and the FBI “are too small to deal with the growing attacks from nation-state actors, leading to inefficient intelligence enrichment, collaboration and information-sharing,” he writes. His recommendation is to create a National Cyber Protection Center “to improve our ability to fuse and share cyber-related intelligence across the public and private sectors, advise on coordinated responses, and proactively prevent attacks like this from occurring again.”
Other writers also criticize the status quo. Bruce Schneier with CNN argues the U.S. must “prioritize minimum security standards for all software sold in the United States” since, as it stands now, we are too ignorant about the software that runs on our devices, what it’s sending, and where it’s connecting geographically. Without greater regulation and transparency in the software industry, Schneier believes we will continue to jeopardize our personal safety.
Should I Be Worried?
Probably not, but you should be vigilant. Arming yourself with knowledge will help keep you from being surprised the next time a large-scale cyber incident occurs. While you obviously cannot influence huge geopolitical forces, you can stay informed to guide your business through turbulent waters.
Ultimately, what you should be focused on is making the same security steps we’ve been recommending at Machado for some time: following industry best practices, backing up your critical files and systems, enabling two-factor authentication, using strong password habits, and yes, updating and patching regularly.
How can we still be recommending regular updating and patching? After all, wasn’t this whole SolarWinds mess caused by customers downloading tainted updates? A logical conclusion therefore might be, hey, let’s do away with software updates altogether, at least until we can be sure of their integrity. That sounds reasonable, right?
Well no, actually. Here’s why delaying your software updates is not a good idea. As we saw earlier, the majority of breaches in 2019 were the result of unapplied security patches. What’s more, the spike we’re seeing in healthcare ransomware attacks can be partially attributed to poor patching practices. Think of it this way: a piece of software is just a really long, complex piece of code. The developer does their best to think up every edge case the code may encounter and every weird behavior that might result. However, since the code is so complex, software very frequently gets released with issues, issues that get revealed over time. Patches and updates are the developer’s way to fix those issues. The longer a version of software has been out, the more time cyber criminals have had to analyze it and find those issues. When they attempt to hack you, they’ll try to exploit those older vulnerabilities first. If your software is not up to date, then you won’t have the developer’s latest fixes and will be totally exposed.
You can think of the SolarWinds hack as an extreme outlier. In the vast majority of cases, software updates and patches are not only safe but one of the best ways to keep yourself and your business safe online. Delaying updates, even for a little while, is dangerous. The longer you use outdated software, the more opportunities hackers have. Developers eventually drop their support of older software (rest in peace Internet Explorer) once they don’t want to keep updating it any longer. As software matures, more and more issues get exposed. In conclusion, using the developer’s latest release of their in-support software is the best way to fend off cyberattacks.
When Garmin was hacked in July 2020, we had some concrete advise for our readers. Since ransomware was the suspected attack method in that incident, we could tell our readers to back up their important data to the cloud as a means to protect themselves. When Twitter was hacked around the same time, we learned that the company’s people, not its systems, were vulnerable, proving the importance of zero standing privileges. This time around, however, we don’t have so many practical takeaways. The lesson from this massive attack might be that anything can be hacked. When the source of your vulnerability comes from the software developer itself, it is almost impossible to guard against. You should continue to trust software updates from reputable developers. Keep an eye on the news for any security alerts for software you use. An easy way to do this might be to set up Google alerts to your phone. When you hear about a new vulnerability, be sure to have your team install the latest fix from the official developer as soon as possible.
If you could use a hand managing your updates and your cyber infrastructure at large, reach out to us a Machado Consulting here or by phone at (508) 453-4700. We can’t wait to show you what we can do for your business.