Why the SolarWinds hack should concern us all
On Dec. 8, 2020, FireEye CEO Kevin Mandia alerted the information security community about a major state-sponsored breach in FireEye, one of the world’s largest information security providers. A week later, SolarWinds CEO Kevin Thompson released a statement about a compromise in their Orion Monitoring product updates released between March and June 2020. SolarWinds called the attack, also known as Sunburst, “a highly sophisticated, targeted, and manual supply chain attack” used to compromise FireEye and possibly many other organizations.
A “manual supply chain attack,” a term not commonly seen in information security bulletins, refers to the process in which the build system, which is the core of many software development organizations, is compromised. If the build system is compromised, any software released by that system can contain unwanted code.
Apparently, SolarWinds had unknowingly shipped a software update that contained malware. Not just any malware, but a backdoor to the compromised customer network. But since the software was released and signed by SolarWinds for its own product, naturally the majority of platforms trusted this update.
Since SolarWinds’ updates were reportedly compromised from March to June 2020, the attackers could have infiltrated the systems in early 2020. That is a lot of time to do a lot of damage.
Worse, SolarWinds is one of the most popular network-monitoring solutions in the market. It has over 18,000 customers, all of whom could have had an open backdoor since March 2020. Even worse, a lot of these customers could be software development companies that also write software that we use, and that could be subject to the same attack.
How far down does this rabbit hole go? Nobody knows. There could be more companies that have been releasing compromised software or companies hosting solutions that could be compromised. Other major software companies could also be infected. Only time will tell, once folks have been given the opportunity to comb through the wreckage. Since the backdoor was quite comprehensive, there are many vectors that need to be checked. So even if you do not use SolarWinds, you must still be on the lookout.
Information security cannot be just about anti-malware or keeping systems up to date. In general, information security should always be applied in layers. Given the sophisticated nature of this attack, normal anti-malware tools could not have detected the bad code, because it was released and signed by a legitimate software supplier.
A behavioral intrusion-detection system could have caught the outbound call-home messages to the command and control (C&C) servers. This kind of attack would also require eagle-eyed security operations personnel, who must now serve as the “watchers of the watcher” to flag that suspicious C&C traffic and trace it.
This is a lesson for information security managers: Look at security holistically, not just in silos or with specific products.
This also serves as a caution to individuals: Pay more attention to information security solution warnings and act on them immediately and appropriately.
Sunburst is probably one of the biggest hacks the world has seen to date. We would only know the extent of its impact in the coming years. Let us be very vigilant, because everyone, even our cybersecurity providers, are at risk.
(With inputs from Sam Chittick, Liel Pascual, and Grace Mirandilla-Santos)
* * *
William Emmanuel Yu, Ph.D. is a technology professional, professor, and researcher who is a passionate advocate of shaping internet and technology policy. He is part of Secure Connections, a cybersecurity project of The Asia Foundation-Philippines. The views expressed in this article do not necessarily reflect the views of The Asia Foundation-Philippines.
