The attack on SolarWinds seems to be pretty bad so far.
The super nova attack on SolarWinds has forced the company to tighten its security, find out what happened!
SolarWinds has suffered a large scale attack that has put several giants in the IT and software industry on the spot; this company is a name that is perhaps unknown or lost among the largest software vendors in the world; yet it works with many major companies, including U.S. government agencies. The magnitude of the attack is actually unknown but there are many companies that have been victims to date and there may be more. But if anything, it could have been much worse.
So let’s start from the beginning…
What is SolarWinds and how did this attack happen?
You probably don’t know who we’re talking about yet; so we should start with the identity of this company and its role within the IT area. Probably when we talk about software or information technology companies; companies like Microsoft, IBM or EMC come to mind; however there are organizations that are “hidden” or not very visible to non-professional eyes, but still within this list of large companies; SolarWinds is one of these.
It is a company dedicated to provide us with business software; this company calls the attention because it has a huge amount of important customers; such as entities such as the United States government, Nestle, Ford and even Microsoft itself.
As for what happened; it began by exploiting a vulnerability found in the “Orion” program, which is a system that manages networks and operating systems of companies that have it. Attackers implanted a large-scale malware and deployed it disguised as an update; then sent it to all customers who accepted it without suspicion, as it seemed just a routine system update; but in this way it spread.
So, how did it happen?
The attack was of the supply chain type; which consists of a type of cyber-attack that seeks to perpetrate the weakest element of the distribution network; and use it as a Trojan horse. Through these attacks, attempts are made to exploit third-party software to compromise an end objective.
In this specific case; the aim is to attack the ASUS utility to distribute the malware and attack an end target; rather than, for example, directly attacking the operating system. The hijacking of software updates, is one of the most common ways of attacking the supply chain, as occurred in this case with SolarWinds.
SolarWinds doesn’t know the total number of victims, but because they were infected through a fake Orion program update, it is likely that more than 18,000 customers have fallen victim to this attack (the number estimated so far). Some of these customers that were affected by this malware were: the Department of Treasury and Commerce, the United States Department of Security, Microsoft, Cisco, Intel, Check Ponit; among many other high-caliber companies.
There is also a record of a second attack but of lesser intensity, and it is not known whether it is related to this first attack. This second attack was less sophisticated than the first one, and discovered that it was malware imitating SolarWinds’ Orion system, but it did not have the company’s signature, so it was discovered faster than the first one.
Who are the culprits and what was the target of the attack?
We do not know what the real specific motives, and the real target of the criminals who carried out this attack were. According to a Microsoft representative, the attack could have been directed at the United States government. According to Keith Alexander, who worked overseeing the United States cybernetic command and other organizations, he said it is likely that the cyber-attack was sponsored by the Russian government, more specifically by the SVR. However, the Russian government has denied any involvement with the event, being supported by former US President Donald Trump.
Trump, along with other diligents, expressed that the real culprits could have come from China or other places. Similarly, the well-known newspaper “The Washington Post” had its own speculations, pointing to the same groups that hacked into the Democratic servers in the 2016 presidential elections, and the attacks on the White House and the State Department during the Obama presidency.
Other institutions argue that the objective of this attack was not to disable the victims’ systems, but to spy on and gather information from them. The CEO of FireEye supports this claim, pointing out that although hackers were able to access internal systems, his company has seen no evidence that they deleted data from the systems, that store customer information. The question remains as to why they stole the company’s tools if in fact they were a collateral victim and wanted to go unnoticed, but it is possible that they only took the opportunity to try to open more doors and use the information gathered to target other, more powerful attacks.
What will happen from now on?
SolarWinds announced on December 14th and 15th that they would be releasing a security update, some of which would be directed at the Orion platform, to prevent future hacks to that platform. Outside of these actions, it is still difficult to know what awaits SolarWinds and its customers, because the reasons for this attack and its scope are still being investigated, as well as who was responsible for it.
The United States government is attempting, to the best of its ability, to develop strategies that can be used for early detection of these attacks, and thus be able to defend against future attacks. On the other hand, SolarWinds offered free consulting services to customers who have the Orion system, to ensure that companies working to maintain their security, can have the help of expert assistants and resources.