The years of 2020 and 2021 were epic years in cybersecurity for all the wrong reasons. The Kaseya VSA breach impacted millions of endpoints in less than 3 seconds. A zero day vulnerability was discovered in Microsoft Exchange that China promptly used in a “hack the world” nation state attack that hit 250,000+ servers globally. And a group of hackers created havoc by shutting down an oil pipeline and leaving much of the east coast of the US without gasoline.
Any one of these events is paradigm-shattering on their own, but they pale next to the SolarWinds Orion breach. This event is mind blowing on top of mind blowing, but if there is one thing to really try and get your head around it’s that up to 18,000 businesses and agencies like the Department of Defense, the Pentagon, the Department of Homeland Security, the State Department, NASA, the Department of Energy, the U.S. Treasury, Microsoft, Intel, Cisco, Mastercard and Visa were openly breached for up to 3 years or possibly longer, and not only did they not know it, they never found it. They were told they had been breached when it was discovered by a cybersecurity firm. These are supposedly the most secure and technologically advanced environments on the planet with plenty of resources for cybersecurity, but the bad guys were stealing everything, undetected, for a long time.
When interviewing experts involved in the forensics project to analyze this event, some of the quotes were:
- Microsoft President Brad Smith – “…this is the largest and most sophisticated attack the world has ever seen.” He added that there were “certainly more than 1,000” engineers involved in the attack.
- Tim Brown, Vice President of Security at SolarWinds – “It’s really your worst nightmare, You feel a kind of horror.”
- Adam Meyers, VP of Threat Intelligence at CrowdStrike and lead cyber forensics investigator – “The tradecraft was phenomenal.”The code was elegant and innovative. This was the craziest f***ing thing I’d ever seen.”
- Alex Stamos, Director of the Internet Observatory at Stanford University – “It’s one of the most effective cyber-espionage campaigns of all time. This certainly is going to change the way that large enterprises think about the software they install and think about how they handle updates.”
10 Things You Should Know:
I studied the SolarWinds Orion breach as it was happening and wrote many blog posts as the event unfolded, but I wanted to summarize the key lessons learned that everyone should know:
- The largest and most advanced networks in the world were breached for years and didn’t know it, they were told about it.
- FireEye, a company with around 3200 employees discovered the breach and notified SolarWinds.
- FireEye found the breach because they used Multi-Factor Authentication. You should be using MFA for all of your desktops, servers, administrative accounts, public facing services and cloud based services now.
- All of these environments were breached because they used the same tool to run their networks, SolarWinds Orion, which was used as the malicious payload delivery mechanism.
- The malicious code was delivered in a software update to Orion customers who were told “This release includes bug fixes, increased stability and performance improvements.”
- It was a small piece of code just 3500 lines long.
- They covered their tracks to remain invisible. Adam Meyers lead investigator said “They’d washed the code, They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.” Holy s***, he thought to himself, who does that?
- The hackers tested their tools and process by doing “dry runs”
- The processes and technology used to inject malicious code into the Orion update could be used to infect any software application.
- There were early warnings that a weak and public password, “solarwinds123” was the original entry point.
Also, who knew that Microsoft used someone else’s software to run their networks? I sort of figured they would have that handled, but apparently SolarWinds Orion is that awesome.
What Can You Do To Protect Your Business?
Contact us today at Rocky Mountain Cybersecurity so we can show you how to manage the risk in your software supply chain!
(C) Copyright Rocky Mountain Cybersecurity 2022, All Rights Reserved