This past December, it was discovered that many Fortune 500 companies and U.S. government agencies had been hacked by a Russia-based attacker. The breach seems to have begun last spring—and to have gone undetected for months. The attacks that have been confirmed involve SolarWinds, a software company that provides system management tools used by the IT teams of hundreds of thousands of companies and organizations, including the U.S. government. The attacks took advantage of a routine SolarWinds update in its popular Orion product, a network management system.
Essentially the attackers took control of the controls. According to the New York Times, “the Russians, investigators said, were able to insert counterfeit ‘tokens,’ essentially electronic indicators that provide an assurance to Microsoft, Google or other providers about the identity of the computer system its email systems are talking to.”1 Many experts deem this hack the largest and most sophisticated of its kind in the past five years. While the intent and extent of the breach have not been fully ascertained, the attack underscores the import of considering third-party risk and embracing strong proactive security strategies.
In the past I’ve discussed the often-underestimated element of third-party risk and its impact on an organization’s overall cybersecurity posture. Regardless of the strength of internal security practices, policies, and procedures, an organization essentially assumes the risks of its third-party vendors. While it is challenging to accurately identify and mitigate every risk that may exist as a result of entering into a third-party agreement—especially considering the vast amount of data collected by many firms and companies—it is important to manage these risks as effectively as possible. Establishing a responsible party for reviewing contracts and third-party vendor relationships as well as creating a regular auditing schedule can help to address potential threats and enable organizations to better respond to cyber events when they happen.
Unfortunately, the third party involved in this attack was not made aware of the breach until months after it was initiated. The cyber attackers did their best to go unseen, minimizing their activities to prolong their access to the affected systems, networks, and data. The stealth and sophistication of this attack illustrate an important axiom about cyber risk: The most lethal attacks tend to be those that evade detection for the longest periods of time. And while companies, particularly Microsoft and FireEye, claim to have produced a “kill switch” for the offending malware,2 it’s entirely likely that the attackers have embedded additional backdoors into a very large number of compromised systems. I believe that this attack is one that the U.S. will have to contend with for years to come.
This attack is distinctive in several ways, making its true impact difficult to quantify. First, the attackers were able to bypass security sandboxing (a mechanism used to separately run, and isolate, potential sources of malware) by delaying the execution of the malware once it was installed. According to FireEye, “The sample only executes if the filesystem write time of the assembly is at least 12 to 14 days prior to the current time; the exact threshold is selected randomly from an interval.”3 Second, in addition to delaying execution, the malware would also attempt to determine the IP address of the infected system prior to execution. If it was Microsoft-owned or linked to a Microsoft-owned network, the malware would not execute. This further demonstrates the attackers’ intent to evade identification for as long as possible.
For purposes of mitigation, I believe it is best for an organization to assume it has been compromised if it is currently deploying, or has recently deployed, Orion. It is also important to assess any vulnerabilities in other network management systems, especially given the prevalence of verbose logging (the detailed logging of network traffic) and the prioritization of data availability over security. For the legal community, accounting for third-party risks is an essential component of a strong cybersecurity posture. Utilizing third-party services is largely unavoidable, and supply chain compromises are very difficult to control, but it is critical to identify and manage these risks to the best of your firm’s ability. The better you know your third-party vendors’ approach to security, the better you are able to holistically assess and improve your own security posture. The SolarWinds episode is also a reminder to actively scan your network for threats and conduct regularly scheduled security assessments.
MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 matters. He is a member of the MN Lawyers Professional Responsibility Board.
Notes
1 https://www.nytimes.com/2020/12/13/us/politics/russian-hackers-us-government-treasury-commerce.html
2 https://cisomag.eccouncil.org/sunburst-malware-kill-switch/
3 https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html