This postmortem document examines one of the most significant cybersecurity breaches of the 21st century – the SolarWinds Cyberattack – and deconstructs the vulnerabilities and failures enabling its success. Part of a series of cyberattack postmortems, this document contains a profile on the victimized organization and a recap of all the known information about how the attack was perpetrated.
As is almost always the case with events of this magnitude, there is more than one vulnerability exploited by threat actors to successfully effectuate these attacks. In fact, there are often a number of failures within different areas of the victim organization’s overall infosec strategy which, combined, enable threat actors to achieve their nefarious goals, and which make the follow-on consequences of the initial breach far worse over time.
Shockingly, nearly all the enormous, costly data breaches and cyberattacks examined by this series share one glaring commonality. It is a consideration all too frequently overlooked by even the most sophisticated InfoSec programs and one which, even in the aftermath of a catastrophic security breach, is still left inadequately addressed. The commonality threading through this and most other cybersecurity failures: inadequate External Data Privacy Management or “EDPM”.
THE VICTIM ORGANIZATION – SOLARWINDS
SolarWinds Corporation, an American firm, specializes in creating software solutions designed to assist businesses in the management of their networks, systems, and IT infrastructure. The company is headquartered in Austin, Texas, and maintains sales and product development offices across various locations in the United States and several other countries.
SolarWinds was publicly traded from May 2009 until the end of 2015 and then resumed trading in October 2018. Additionally, SolarWinds has acquired multiple other companies, some of which continue to operate under their original names, such as Pingdom, Papertrail, and Loggly.
By December 2020, the company’s client list included approximately 300,000 customers, encompassing virtually all Fortune 500 companies and – as will become more significant when examining the recent breach – numerous agencies within the US federal government.
THE KNOWN FACTS OF THE ATTACK
In this cyberattack, a hacker group known as Nobelium and suspected by Microsoft of being a state-sponsored operation, managed to infiltrate the networks, systems, and data of numerous SolarWinds clients. The scale of this breach is unparalleled and could be considered one of the most extensive ever documented.
SolarWinds produces the “Orion network management system”, which is used by over 30,000 public and private organizations, including local, state, and federal agencies in the United States. The Orion product was identified as the conduit for this breach. It seems SolarWinds unintentionally distributed the backdoor malware within an Orion software update, thereby compromising the data, networks, and systems of thousands of users.
The impact of this intrusion extended beyond SolarWinds customers. By exposing the inner workings of Orion users, the hackers potentially gained access to the data and networks of those users’ customers and partners as well. This opened the door for the number of affected victims to grow exponentially.
The malicious actor initially conducted a “practice run” by inserting test code into SolarWinds’ Orion network management and monitoring products. Following this, starting in February 2020, the hackers introduced concealed code (a trojan) into a file that was subsequently incorporated into SolarWinds’ Orion software updates. SolarWinds distributed these updates to its customers without recognizing that they had been compromised. The trojan code provided the threat actor with a “backdoor,” a program enabling unauthorized remote access to a compromised computer. As indicated by cybersecurity experts, the threat actor was then able to exploit the networks and systems of SolarWinds’ customers who had installed the tainted software updates, using an advanced computing infrastructure.
IT research and reference publication, TechTarget, compiled the following timeline of the SolarWinds hack and breach. It is notable that the threat actors engaged in meticulous planning and preparation of this attack, and it was rolled out methodically over a number of years.
Here is the TechTarget timeline of the SolarWinds hack:
- September 2019 – Threat actors gain unauthorized access to SolarWinds network
- October 2019 – Threat actors test initial code injection into Orion
- Feb. 20, 2020 – Malicious code known as Sunburst injected into Orion
- March 26, 2020 – SolarWinds unknowingly starts sending out Orion software updates with hacked code
SolarWinds had hired a new CEO, Sudhakar Ramakrishna, just months before the attack was discovered. While there was little he could have done to prevent or even detect the attack already in advanced stages of deployment, Ramakrishna has been very transparent in its wake in an effort to help the industry improve its defenses against similar subsequent attacks. His office released the following graphic to illustrate the known timeline of events.
The U.S. Department of Homeland Security issued an advisory, pinpointing the affected versions of SolarWinds Orion as versions are 2019.4 through 2020.2.1 HF1.
The affected organizations victimized as a result of the breach included some of the largest and most powerful organizations – public and private – in the world. Organizations with serious and significant, sensitive data including national security secrets and billion-dollar intellectual properties, to say nothing of the personally identifiable information (PII) of millions of individuals employed by these entities. Victims included US Federal government departments such as Homeland Security, State, Commerce and Treasury, all reporting evidence of emails and other data missing from their systems. Private sector giants – companies such as FireEye, Microsoft, Intel, Cisco and Deloitte – also suffered from this attack.
THE INITIAL CONSEQUENCES OF THE ATTACK
Following their undetected unauthorized entry and “test code injection” into the Orion product, the threat actors removed the test code and any traces of their trespass in preparation for the delivery of the actual, malicious payload. Like bank robbers casing the security systems of a bank vault ahead of a heist or terrorists probing the physical security of a landmark they intend to bomb, the Nobelium threat actors made sure their plan would be effective before they deployed it.
More than 18,000 SolarWinds customers installed malicious code updates, with the malware spreading undetected. Through this code, hackers accessed SolarWinds’s customer information technology systems, which they could then use to install even more malware to exfiltrate data from other companies and organizations.
Security researcher, R. Bansal reported that more than 4,000 subdomains belonging to well-known universities, businesses and other organizations were infected as a result of the initial 18,000 “backdoor” malware installations including names such as Intel, NVIDIA, Kent State University, Iowa State University and others.
The extent of the reach of an organization like SolarWinds perfectly illustrates why hackers target this kind of operation. The potential reach into thousands of high-value targets means that one successful intrusion can open the back door for hackers to steal priceless data of unimaginably sensitive nature. It also means the PII of employees of prime target organizations is made available to threat actors for use in launching countless subsequent social engineering attacks. Attacks that enable potential theft of millions of dollars, theft of intellectual property and industrial secrets, theft of national security secrets, and which cause incalculable damage to the reputation of victimized organizations.
THE ATTACK VECTOR(S) AND EDPM
Privacy Bee writes extensively about the vulnerabilities fostered by a limited or absent understanding of the role played by External Data Privacy Management (EDPM) across a broad array of functional areas within any organization. Weak or non-existent EDPM enables the many emerging threats to information security currently facing both the public and private sectors. Poor EDPM is the essential ingredient powering the epidemic of social engineering attacks favored by threat actors as a way to perform end-runs around hardened infosec elements such as endpoint security, zero trust programs, military-grade encryption, employee training and other industry standard practices.
In the SolarWinds example, the two attack vectors (as related to EDPM) exploited by the Nobelium hacker group were Supply Chain Attack and Third-Party Vendor Attack. Up next, examination of both these vectors helps illustrate how EDPM considerations are essential to protecting against both.
The Software Supply Chain Attack Vector
As detailed in the Privacy Bee for Business white paper titled, Supply Chain Attacks are on the Rise – A Primer on Supply Chain Privacy Risk, it is noted that all organizations have grown Increasingly reliant on software to automate and manage a broad array of internal business processes. The paper reveals the fact that most software today is not written from scratch. Rather, software vendors and in-house software development teams often create applications and other tech solutions by assembling code/artifacts acquired through both open-source and commercial software channels.
These artifacts increase vulnerability because in-house application developers building (or IT departments deploying) new software solutions into their operations typically have limited control over the source code. Many times, they aren’t even aware of any changes made to the code by third parties before they acquire it. In the case of the SolarWinds hack, malicious code was injected into a routine software update that was distributed to thousands of unsuspecting users of the Orion software product who unknowingly installed the malware onto their respective networks. This type of compromise or corruption of existing code by threat actors is a classic example of a software supply chain attack.
Definition: The software supply chain is anything and everything that touches an application or plays a role, in any way, in its development throughout the entire software development life cycle (SDLC).The software supply chain is composed of the components, libraries, tools, and processes used to develop, build, and publish a software artifact.
Because cybercriminals know this is a weak spot, they have begun inserting malicious code into software artifacts they can then exploit later once the artifacts have been written into larger software systems within target organizations. Attacks via software supply chains are trending and the SolarWinds attack is perhaps the most infamous illustration of this vector. Before examining how EDPM could have helped protect against this type of threat, it is important to examine the Third-Party Vendor attack vector which is closely related to the Software Supply Chain attack.
The Third-Party Vendor Attack Vector
Victims of their own success, established information security practices have prompted threat actors to seek alternative methods of gaining access to protected systems. Standard practices and solutions like identity access management solutions, data encryption, anti-virus and endpoint protection, cloud security, firewalls, zero trust security, workforce awareness training and other infosec practices have made it too time consuming and difficult for hackers to perpetuate via direct, frontal attacks on these hardened systems.
For this reason, since 2022, attacks on internal data structures through brute force credential attacks and through hacking to exploit software vulnerabilities have been decreasing. On the other hand, Phishing, Social Engineering and otherwise compromised credentials now make up a plurality of unauthorized access instances. Clearly, the perpetrators of cyber crime have begun favoring social engineering as the most effective method of breaching defenses and stealing from their victims.
So much of contemporary software is built in a modular fashion, often using open-source code. Because much of it is built and delivered by third-party software companies or contract developers/vendors, it is only natural that hackers would seek to exploit third-party vendor relationships to achieve their goals. That’s where external data – PII but not customer PII, rather employee or vendor employee PII – fits into the picture. While it is difficult to break encryption or circumvent a firewall as a means of gaining access to protected networks, it is very easy to leverage unmanaged external data on vendor employees to serve as the basis for social engineering attacks used to gain unauthorized access to information systems. Having circumvented traditional infosec protections, the hackers can then inject malicious code into software that will be deployed across many other target organizations.
So, it becomes clear how the third-party vendor attack vector works hand-in-glove with software supply chain attack strategies. In the case of SolarWinds, it is not entirely clear whether the initial breach of the Orion code base was enabled by a social engineering hack directed against a SolarWinds employee. However, there are numerous other examples of this occurrence – the use of third-party vendor attacks to enable Supply Chain attacks. And it has never been clearly determined how the initial intrusion was achieved in the SolarWinds example. So, it still may be determined that third party vendor attacks were implicated in the hack.
THE LONGER-TERM CONSEQUENCES OF THE ATTACK
As with all data breaches, there are significant, long-tail consequences of any successful attack. Not least of which is the opportunity costs lost when an organization loses the trust of the consumer public. For a company like SolarWinds with the entirety of the Fortune 500 and numerous lucrative government contracts, the potential for lost business as customers flee to “safer” alternatives, the losses can be staggering.
The PII of hundreds of millions of individuals was potentially compromised with the breach effecting 18,000 customer organizations and 4,000 subdomains (that we know of to date). That PII in itself is something the threat actors can monetize by offering it for sale on the Dark Web where other hackers buy it to use in their own nefarious attack plans. The Hacker News writes, “Prolific actors are constantly going after high-revenue customers like SolarWinds because they see an increased chance of making larger profits by selling access to ransomware partners and other buyers… Whether it’s by exploiting vulnerabilities, launching spam campaigns or leveraging credential abuse, access is typically advertised and auctioned to the highest bidder for a profit. Whether this was the motivation for the current SolarWinds incident remains to be seen.”
NPR article, “A Worst Nightmare Cyber Attack: The Untold Story of the SolarWinds Hack” suggests the full scope and consequences facing US national security as a result of the SolarWinds breach are yet to be totally understood. Writing for NPR, Dina-Temple Raston notes, “The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks. The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it.”
Opportunities lost, reputations damaged, PII of millions of private individuals and key employees exposed to potential further exploitation across hundreds of organizations, national security implications – the list of follow-on damage continues to grow. The full scope of the damage may never be fully accounted for. So, what could have been done to better address EDPM and what can be done now to ameliorate some of the longer-term damage?
EXTERNAL DATA PRIVACY MANAGEMENT
The two primary tools to fight supply chain attacks are the DevSecOps (including the use of Software Bill of Materials or SBOM) and strong Vendor Risk Mitigation tools to ensure healthy external data privacy hygiene amongst all vendors (software and materials providers). DevSecOps is a security methodology focusing on culture, automation and software design requiring shared responsibility for privacy and security throughout the entire IT lifecycle. However, DevSecOps and SBOMs alone, in the absence of VRM tools represent an incomplete approach.
Privacy Bee’s Vendor Risk Management (VRM) extends the privacy bubble to targets outside your organization but who may have a degree of access to your sensitive information systems – including software providers and/or contract development resources. This solution evaluates all your vendor/partner organizations for Electronic Data Privacy risks. It then reports simple Privacy Risk Scores on each company, highlighting each vendor’s risk at a glance. Analytics further break vendors down by department, risk tier, and more, with all thresholds fully customizable. While most vendor risk software stops at the report, Privacy Bee VRM keeps going, offering to work with all your 3rd party vendors 1-on-1 to decrease their vulnerabilities, effectively de-risking your company.
Privacy Bee’s Employee Risk Management (ERM) is an easy but powerful way to get visibility into your External Data Privacy risk. After just a few minutes to load and configure your employees (usually an exported CSV from your HCM software), Privacy Bee automatically begins scanning hundreds of external sources, searching for any exposed privacy risks on each employee. Any discoveries are flagged as an exposure and affect that person’s aggregated Privacy Risk Score.
ERM helps quickly paint a full picture of an organization’s real-time cyber risk from external privacy exposures. This privacy intelligence platform is 100% free for all businesses, powered by Privacy Bee.
Privacy Bee’s External Data Privacy Audit another 100% free, web-based privacy app for quickly and easily scanning employees PII exposure. This tool set lets you build an extensive audit, identifying privacy exposures and vulnerabilities, then extrapolates potential financial impact across your company. It’s a critical view into risk assessment, operational inefficiencies, emerging cyber risk, and External Data Privacy Management.
The EDPA provides unified employee audits, bringing together real-time dark web monitoring with 24/7 active clear web monitoring (Data Brokers, People Search Sites, paste sites, and more). Delivering a centralized view into public employee exposures, and insight into the tangible financial impact it has within your organization.
While all these (and other) audits and monitoring services are for use at no cost, removing employee PII from all unsafe locations on the net is what reduces the risk and the attack surface. While this is a function your organization could take on as an internal activity, most organizations prefer to outsource the removal service for your employees and vendors identified as at risk to Privacy Bee. Privacy Bee has teams of experts working 24x7x365 to scrub client employees’ PII from all unsafe corners of the internet.
Putting EDPM solutions like these in place does more to protect against being victimized by threat actors from the outset. And while they are useful as a restorative, to clean up the messes after a breach has occurred, it is best to deploy them from the outset so as to avoid becoming the next high-profile victim.
Speak with Privacy Bee to discuss the External Data Privacy Management at your company.