In December, the US discovered what is perceived to be the most widespread cyber breach of the US Federal Government. What initially started as a breach of a leading cybersecurity firm unraveled into the discovery that numerous customers including multiple US federal government agencies were impacted (1) (2). The attack came from “a nation with top-tier offensive capabilities” and is perceived to be espionage by Russia. Bruce Schneier, legendary cryptographer and computer security professional, has noted it as a security failure of epic proportions and a wakeup call for the nation.
One of the most striking aspects of the largest cyber breach and global intrusion campaign on the US federal government is the fact that it went undetected for so long, potentially beginning as early as March 2020 according to SolarWinds (3).
What is most critical now is to understand what events exactly transpired, why the malicious actors and code went undetected for so long, and understand the lessons learned for mitigating and preventing the same from happening to your organization’s technology environment.
What happened and why did it go undetected for so long?
On December 8th, leading cybersecurity firm FireEye disclosed a breach of its Red Team Tools. A Red Team is a group of security professionals and tools that conduct mock adversary attacks against an enterprise in order to identify weaknesses and improve its cybersecurity posture (4). FireEye CEO Kevin Mandia provided additional disclosure and thoughts on the event (5).
On December 13th, the threat research disclosed by FireEye discovered that the global intrusion campaign leveraged and trojanized SolarWinds Orion business software in order to distribute malware (6). Orion is a popular infrastructure monitoring and management platform used by 33,000 other corporations and federal agencies out of over 300,000 total customers, according to a December 14th filing with the Securities and Exchange Commission (SEC) (7). It is estimated that approximately 18,000 customers could have had an installation of Orion with the malicious code that was identified. Some troubling security flaws started to emerge, including the usage of “solarwinds123” as the password for the company’s update server.
As the breach unfolded, two key events presented themselves and were named SUPERNOVA and SUNBURST:
- SUPERNOVA: is not Orion platform embedded, but rather malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product. SUPERNOVA is malware in two components on the Orion Platform: (1) a malicious, unsigned webshell specifically written to be used on the SolarWinds Orion Platform, and (2) the utilization of a vulnerability in the Orion Platform to enable deployment of the malicious code. The vulnerability on the Orion Platform was resolved in a rapid update
- SUNBURST: is a cyberattack to SolarWinds systems that inserted a vulnerability within its Orion® Platform software builds for recent software versions, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run
On December 13th, DHS CISA issued an Emergency Directive for all federal agencies to remove impacted Orion products from their networks and take proactive measures with cybersecurity forensics and network analysis in order to report data back to CISA for an aggregated assessment of the situation at hand (8).
On December 14th, it was identified that numerous US federal agencies were also impacted, including DHS, State, NIH, and Treasury, among others.
Later, Microsoft announced that the breach was wider than previously realized to include viewing its source code (9) (10).
This malicious activity was happening for months, but after the positive identification of a nation state actor, the resulting remediations and defensive measures were swift.
What has been the response so far?
Leading technology and cybersecurity vendors are acting swiftly.
After identifying the initial FireEye acted by open sourcing their countermeasures with rules for well-known network and security tools to detect malicious files and activity (6).
SolarWinds issued a security advisory and an eventual Orion patch to remediate the immediate issue with its client base. They have continued to expand on the fix and frequency update the SolarWinds Security Advisory hub for guidance on how to continue to navigate this event.
Microsoft has been incredibly assertive in the wake of this cybersecurity event, releasing key guidance on how to address the situation with recommended defenses and product protection resources. They have also made bold declarations on how we should step back and assess our broader approach to cybersecurity in the newest warfighting domain.
Government agencies have provided “break glass” guidance to build runway for a solution.
DHS CISA immediately issued an Executive Directive for Orion shutdown which also includes a detailed call to action by all US federal agencies impacted.
In the coming months, there are many existing agencies, both domestic and international consortiums, that will likely convene on the medium and long term implications of this event, including DHS CISA, NSA, US Cyber Command, and Five Eyes.
The incoming Biden administration has made commitments to make this a top priority.
The incoming Biden administration have generally made statements regarding cybersecurity as a top priority, as well as dealing with this specific event head on from the moment the new administration hits the ground. Some counter actions may include non-cybersecurity measures, to include financial sanctions.
Why does this matter to me, and what can I do to mitigate the risk of this happening to me?
The entire world is at risk, treat it as such individually and at the enterprise and agency level.
According to Mr. Schneier, “the entire world is at risk – and not just from Russia”… we should heed his advice at all levels. On an individual basis, consider your personal security posture and explore some of the tools and practices available to you to increase it. Some good examples include ProtonMail for email, Brave for privacy focused browsing, Tor for anonymity (which is embedded in many VPN products), and LastPass for password management. At an organizational level, take the short-term actions provided in this document from technology and cybersecurity vendors, as well as government officials, to build runway and immediate security in order to take a step back and evaluate your cybersecurity strategy going forward.
Understand the new and expanded attack surface. The significant acceleration of digital transformations initiatives in the wake of COVID-19 have been historic, while also creating new challenges and opportunities for threat vectors. This intersection of COVID-19 and cybersecurity is detailed further in Microsoft’s review of the broader view of global cyber operations.
Remote ways of working have greatly expanded the attack surface as employees have shifted from on-premises to various collaboration tools in remote settings. A great example includes the DoD Commercial Virtual Remote (CVR) program, which delivered remote working capabilities to millions of users in only a matter of weeks (11). The largest O365 deployment in history, this new operating model also creates new cybersecurity
The lines of demarcation have been significantly blurred. What was once a “digital fortress” and perimeter based security mindset in the enterprise data center has been radically changed with the trends of SaaS service consumption, hybrid and multi-cloud models, edge computing, IoT, and other infrastructure and services that reside outside the four walls of the data center. Understand the implications of security as it relates to the integration and orchestration of a more distributed environment as well as the new cybersecurity challenges that are presented.
Operate with a Zero Trust posture. Take the assumption that all traffic could be malicious, even inside the perimeter of your existing environment, since this was clearly the case in the event of the SolarWinds breach. Rather than taking the legacy “digital fortress” approach, layer in security across the full lifecycle and technology stack for agility and resiliency.
Take an enterprise approach to cyber architecture and risk management, enabling combined, full spectrum cyber operations across the Services and other infrastructure environments. For instance, US Cyber Command aims to better integrate cross-service components with the Joint Cyber Warfighting Architecture (JCWA) to establish unified firing platforms, command and control, and training environments (12). In order to ensure that every network, system, application and enterprise service is secure by design across currently multiple disparate enclaves, an environment agnostic approach and diagnostic tool such as Cyber Doppler can be leveraged to assess the cybersecurity posture, risk profile, and gaps that need to be addressed (13).
Embrace commercial Cyber practices that foster accelerated capability development, agility, automation (e.g. DevSecOps, COTS optimized product sets) to improve overall defense posture and Joint Warfighting Architecture. As organizations struggle to maintain a strong security profile in moving towards a foundational Data and Digital Platform, to include cloud adoption, options are accelerated but secure adoption are available. The BCG Cyber Cloud Framework (CCF) and Application Security Profiles (ASP) can map warfighting capabilities to their respective regulatory and compliance controls and frameworks (e.g. NIST, FedRAMP, Cloud Security Alliance, ISO), while navigating a journey to secure modernization (14).
Open and maintain two-way lines of communication. This is how the threat vector was identified in the first place, by FireEye recognizing the threat, sounding the alarm, but more importantly enabling the enterprise and federal government by open sourcing their countermeasures with rules for well-known network and security tools to detect malicious files and activity (6, GitHub).
Other organizations for data and information exist including DHS CISA’s Cybersecurity organization, where regular guidance is posted for more routine cybersecurity actions are to be taken as well as more urgent response similar to the SolarWinds event. Additionally, Information Sharing is a key organization within CISA for enabling two-way communication for community-driven, collaborative awareness and action on defending our technology and data assets, notably including the Cyber Information Sharing and Collaboration Program (CISCP).
***
Matthew Leybold is an Associate Director at Boston Consulting Group with DigitalBCG. He was also a leader in the Army National Guard 91st Cyber Brigade, trained and equipped to conduct cyber analysis, vulnerability assessments, and defensive/ offensive cyberspace operations (DCO/OCO) on DoD networks and critical public infrastructure.
References cited.
- Spies with Russia’s foreign intelligence service believed to have hacked a top American cybersecurity firm and stolen its sensitive tools. Washington Post. https://www.washingtonpost.com/national-security/leading-cybersecurity-firm-fireeye-hacked/2020/12/08/a3369aaa-3988-11eb-98c4-25dc9f4987e8_story.html?utm_source=reddit.com
- Suspected Russian hackers breached U.S. Department of Homeland Security – sources. Reuters. https://www.reuters.com/article/us-global-cyber-usa-dhs-idUSKBN28O2LY
- Unauthorized Access of FireEye Red Team Tools. FireEye. https://www.fireeye.com/blog/threat-research/2020/12/unauthorized-access-of-fireeye-red-team-tools.html
- Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. FireEye. https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
- FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community. FireEye. https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
- FireEye Mandiant SunBurst Countermeasures. GitHub. https://github.com/fireeye/sunburst_countermeasures
- United States Securities and Exchange Commission. Form 8-k. SolarWinds Corporation. https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
- Emergency Directive 21-01. DHS. https://cyber.dhs.gov/ed/21-01/
- Microsoft says Russians hacked its network, viewing source code. Washington Post. https://www.washingtonpost.com/national-security/microsoft-russian-hackers-source-coce/2020/12/31/a9b4f7cc-4b95-11eb-839a-cf4ba7b7c48c_story.html
- Microsoft Internal Solorigate Investigation Update. Microsoft. https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
- How the pandemic pushed DOD’s network modernization efforts into warp speed. FedScoop. https://www.fedscoop.com/dod-network-modernization-cvr-coronavirus/
- Cyber Command’s 2019 plan for new tools. https://www.fifthdomain.com/dod/cybercom/2019/02/19/cyber-commands-2019-plan-for-new-tools/
- BCG: A Smarter Way to Quantify Cybersecurity Risk. https://www.bcg.com/en-us/capabilities/technology-digital/smarter-way-to-quantify-cybersecurity-risk.aspx
- Mastering Cybersecurity with BCG. https://www.bcg.com/en-us/capabilities/technology-digital/mastering-cybersecurity.aspx
Other references.
- Biden Calls Cybersecurity a ‘Top Priority’ After Russian Hack. Bloomberg. https://www.bloomberg.com/news/articles/2020-12-17/biden-calls-cybersecurity-a-top-priority-after-russian-hack?srnd=premium&sref=KkPzpZvz&utm_source=morning_brew
- The US has suffered a massive cyberbreach. It’s hard to overstate how bad it is. Bruce Schneier. The Guardian. https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols
- SolarWinds’ Customers. Web Archive. https://web.archive.org/web/20201214143046/https:/www.solarwinds.com/company/customers
- Navigating the SolarWinds Storm. LinkedIn. https://www.linkedin.com/pulse/navigating-solarwinds-storm-brett-thorson/?trackingId=evfmzrC1luD9CNZuxpj3kA%3D%3D
- Transcript: Kevin Mandia on “Face the Nation,” December 20, 2020. https://www.cbsnews.com/news/transcript-kevin-mandia-on-face-the-nation-december-20-2020/
- SolarFlare Release: Password Dumper for SolarWinds Orion. https://malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/
- Global Intrusion Campaign Leverages Software Supply Chain Compromise. https://www.fireeye.com/blog/products-and-services/2020/12/global-intrusion-campaign-leverages-software-supply-chain-compromise.html
- FireEye, one of the world’s largest security firms, discloses security breach. ZDNet. https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/
- CISA: SolarWinds Is Not the Only Way Hackers Got Into Networks. NextGov. https://www.nextgov.com/cybersecurity/2020/12/cisa-solarwinds-not-only-way-hackers-got-networks/170854/
- Russian state-sponsored hackers target Covid-19 vaccine researchers. The Guardian. https://www.theguardian.com/world/2020/jul/16/russian-state-sponsored-hackers-target-covid-19-vaccine-researchers
- SolarWinds Security Advisory. SolarWinds. https://www.solarwinds.com/securityadvisory
- Customer Guidance on Recent Nation-State Cyber Attacks. Microsoft. https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
- A moment of reckoning: the need for a strong and global cybersecurity response. Microsoft. https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
- SolarWinds Isn’t the Only Way Hackers Entered Networks, CISA Says. Defense One. https://www.defenseone.com/threats/2020/12/solarwinds-isnt-only-way-hackers-entered-networks-cisa-says/170882/
- Microsoft report shows increasing sophistication of cyber threats. Microsoft. https://blogs.microsoft.com/on-the-issues/2020/09/29/microsoft-digital-defense-report-cyber-threats/
- Important steps for customers to protect themselves from recent nation-state cyberattacks. Microsoft. https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
- VMware Flaw a Vector in SolarWinds Breach? Krebs on Security. https://krebsonsecurity.com/2020/12/vmware-flaw-a-vector-in-solarwinds-breach/
- Biden is considering Russian financial sanctions or other retaliatory action in response to the SolarWinds hack. Business Insider. https://www.businessinsider.com/biden-considers-russian-sanctions-retaliation-for-solarwinds-hack-2020-12?utm_source=reddit.com
- A security expert reportedly warned SolarWinds in 2019 that anyone could access the company’s update server with the password ‘solarwinds123’. Business Insider. https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12
- Sunburst Indicators. GitHub. https://github.com/bambenek/research/tree/main/sunburst
- DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign. Washington Post. https://www.washingtonpost.com/national-security/dhs-is-third-federal-agency-hacked-in-major-russian-cyberespionage-campaign/2020/12/14/41f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html
- Suspected Russian hackers spied on U.S. Treasury emails – sources. Reuters. https://www.reuters.com/article/BigStory12/idUSKBN28N0PG