The SolarWinds Hack’s Impact on the US Software Supply Chain

Atlantic.Net is providing this security advisory as a news item; we want to reassure our customers that Atlantic.Net does not use any SolarWinds products internally or in any of our service offerings.

Businesses, organizations, and government institutions are reeling from the fallout of the SolarWinds hack. The story of this far-reaching security breach broke around the 14th of December 2020, and even now we do not know the full impact of the incident. Every day we learn more of the extent of this unprecedented supply chain cyberattack.

What we do know is that in March 2020, hackers beached SolarWinds’ computer infrastructure and gained control of the SolarWinds content management servers. In April 2020, the bad actors embedded sophisticated malware inside ‘genuine’ digitally signed SolarWinds updates.

The affected updates were the automated updates that client computers look up when downloading security patches and hotfixes for SolarWinds’ Orion applications. This widely trusted software update practice is used by countless tech companies around the globe.

For the SolarWinds customers that downloaded and installed the poisoned update, the hackers used the compromised update to inject a malware payload called SUNBURST into compromised customer servers. The malware apparently stayed dormant for about 2 weeks, likely to evade detection, before being activated by a command and control site (C2) using subdomains gathered by the malware.

Security experts believe the malware lay dormant from April until July 2020 , hiding in plain sight, and many believe this period was used for target reconnaissance by the threat actors to identify the highest value targets.  While we don’t know what data was compromised, we do know Office 365 data is likely to have been breached, potentially from OneDrive, Word documents, Sharepoint sites, and so on.

The list of high profile victims grows daily. Some of the biggest names in technology and government are known to have been breached. Many security experts speculate that the attack was orchestrated by Russia, a view supported by a joint statement released by the FBI, CISA, ODNI, and NSA claiming that the bad actors were likely Russian .

The CISA was so concerned by the breach that on the 14th of December, it ordered all nonmilitary government systems that were running the SolarWinds Orion software to be shut down and disconnected from the network.

What Is a Supply Chain Attack?

A Supply Chain Attack is a security incident that occurs when a malicious actor infiltrates a target’s system by exploiting an outside partner or service provider to gain unauthorized access to the systems and data files of the target.

Global businesses are more connected now than ever in history. Cloud computing and the Internet have provided the tools to allow businesses to share large amounts of confidential business data quickly. As a normal practice, businesses buy software and hardware from one another to improve their own offerings to their customers. In this supply chain attack, businesses, global organizations, and US government institutions purchased the SolarWinds Orion Network Management System to gain insights about their networks.

The real victims of the hack are not SolarWinds, but the 18,000 customers who never expected to be victims of a sophisticated hack that they had no control over, a hack that may turn out to be potentially the biggest cyberattack in history, and an attack that may lead to dramatic changes in cybersecurity.

A supply chain attack blows cybersecurity controls wide open. The victims were following cybersecurity best practices by ensuring that their platforms were updated to the latest release; they did not know that their technology provider, SolarWinds, had been infiltrated by suspected Russian hacking squads that had poisoned updates to infect the entire supply chain.

Who Was Targeted in the Supply Chain Attack?

Our picture of this hack is changing all the time as the story unfolds, and we may not know the full extent of the hack for many months to come. But we do know that the US government has been significantly impacted. There are reports that the US Treasury, the US Department of State , the CISA , the DOE were targeted.

While the exact details are not known, one theory is that each government office used Office 365 and Exchange for email and that the shared keys for Azure Active Directory were compromised, potentially allowing the attackers to masquerade as genuine users to access email systems and document libraries.

This theory is supported by statements released by the Department of Justice that “this activity involved access to the Department’s Microsoft O365 email environment” and “the number of potentially accessed O365 mailboxes appears limited to around 3 percent and we have no indication that any classified systems were impacted.”

Of the many tech giants targeted, we know that among the victims were networking powerhouse Cisco Systems, CPU manufacturer Intel, GPU makers Nvidia Corp., and the tech heavyweights VMware, Microsoft and Belkin. Doubtless many more companies have been impacted, but it will be weeks or months until the full picture is known.

If your business is concerned about cybersecurity, please feel welcome to reach out to Atlantic.Net. We are specialists in Managed Services, Cloud Hosting, and HIPAA compliance. The security of our infrastructure is of paramount importance, and we work hard to ensure we have the best security processes in place.

This cyberattack will go down in history as one of the worst, and we feel concerned for our friends in the industry that might be affected by this. The clients of SolarWinds have done nothing wrong; they purchased an industry-leading server management suite from a reputable business, and now, due to unknown security incompetence, each customer has been put at risk through no fault of their own. Get in touch today.