SolarWinds - An epic hack exposed our national cybersecurity vulnerabilities - By Scott Tilley
By Scott Tilley - ASCF Senior Fellow
February 2021
In my January 2021 “Technical Power” column, I discussed three topics of interest that could affect our national security more than any other year so far: cybersecurity, supply chains, and biomedical engineering. At the start of the COVID-19 pandemic, we experienced severe supply chain issues for items such as personal protective equipment (PPE). Several countries are still struggling with vaccine supply chains. More recently, many industry sectors (e.g., automotive) have been negatively affected by supply chain shortages related to semiconductors.
Unfortunately, we’ve already experienced the deleterious consequences of cybersecurity shortcomings on a grand scale. Ironically, this breach also involved supply chains – but the “supplies” are software products. I’m talking about the epic hack of SolarWinds.
SolarWinds is an Austin, Texas-based company that makes software products to help large-scale enterprises manage their computer networks. One of their products is called Orion, which the SolarWinds website describes as “a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environments.” Orion is reportedly used by over 18,000 customers, including numerous U.S. federal government agencies such as the Department of Justice, the State Department, the Treasury, and Homeland Security.
The Orion platform was hacked in March 2020. The hack was discovered by a leading cybersecurity firm called FireEye, which was investigating a breach of their own systems. They used Orion too. FireEye notified SolarWinds and the authorities, which led experts from Carnegie Mellon University’s Software Engineering Institute to become involved through their Community Emergency Response Team (CERT) and other cybersecurity divisions.
The hack was only discovered in December, which means the culprits behind the hack had access to Orion’s internal data for nearly ten months. In fact, the damage caused by the hack continues to this day, almost a year later. But it’s the scale of the attack that’s breathtaking: SolarWinds was hacked, but all 18,000 of their customers were made vulnerable.
This hack was a combination of a malware attack and a remote access trojan (RAT) attack. A malware attack is where malicious code is inserted into a program. A trojan is like a software version of the old Trojan Horse, where hackers can enter a computer network from anywhere on the globe. SolarWinds is also an advanced persistent threat (APT) attack, in which intruders illicitly gain access to a network and maintain a long-term presence undetected. CBS called SolarWinds “the most sophisticated cybersecurity attack in American history.”
The attack falls under the broad category of supply chain attacks because the hackers targeted one company to gain access to other companies that use the compromised company’s products – companies that are farther down the supply chain. The attackers gained access to the SolarWinds update server and inserted their malicious code. When a customer installed an updated version of Orion, they became unknowingly infected. In a sense, this was an attack on trust.
It took incredible expertise, patience, and advanced software tools to implement this attack. Most experts believe the SolarWinds hack was the result of many cybersecurity professionals working for a nation-state. In particular, Russia’s Foreign Intelligence Service (SVR) has been named as the likely culprit, although the relevant authorities have provided no public evidence.
One might credibly ask why the federal government didn’t detect the SolarWinds hack since they have tools in place to detect cybersecurity intrusions. For example, the government’s Cybersecurity and Infrastructure Security Agency (CISA) relies on the EINSTEIN system to help other agencies manage their cyber risk. The problem is that most of these tools, including EINSTEIN, can only identify known threats. The SolarWinds hack was novel, so no automated program could detect it. (There are some intrusion detection systems that use artificial intelligence to detect unknown threats as they occur, but these are not yet widely deployed.)
Today’s software systems don’t operate independently; they are tightly integrated with other software components and use networks to provide and access services to other systems. They are incredibly complicated, making it virtually impossible for any person (or team) to fully understand how the system truly works. The Orion breach was actually in the build process, where automated programs “build” or put together the final system, which can be composed of tens of thousands of files. Think of the build process as somewhat like a robotic assembly line. Guarding against such attacks is particularly challenging.
Congress is currently holding hearings on the SolarWinds hack. There is no doubt there’s an urgent need for the entire country to devote more effort to securing our national infrastructure, and increasingly, that means securing our networked computer systems. If we don’t make progress on this, future hacks could be much worse. This time, the attackers seemed satisfied to gather intelligence and send themselves reports of network activity where Orion was installed. They could just as easily deleted files, corrupted systems, and caused a national catastrophe.
– END –
Photo credit