Federal agencies and international organizations were compromised in a protracted state-sponsored cyber attack. The threat actors carried out a supply chain attack with compromised SolarWinds software. Here̵
Trojan software has a hidden malicious payload. You think you are installing one application, but in fact there are stowaways in the installation routine that are installed at the same time. Or the application you are installing has itself been compromised and now contains malicious code.
A recent example is a barcode scanner app that has been removed from the Google Play App Store. The barcode scanner had been published for several years and had a healthy installed base of 10 million users. It was sold at the end of 2020 to a new owner, Ukraine-based “The Space Team”.
After an update of the app, users were plagued with advertisements. Their default browser would open by itself. Links and buttons to download and install more apps would run across their screen. The new owners had modified the scanner app’s code to include malware. The app was trusted by those who already installed it, so an update wouldn’t be a cause for concern. But the update that they expected to provide bug fixes and new features actually put their handset at risk. The previously innocent barcode scanner was now a Trojan horse.
The barcode scanner app was labeled a good purchase by the threat actors. Its strong user base made it a convenient transport mechanism to place their malware on up to 10 million smartphones. They bought the app, changed the code and sent it as an update. Presumably, the cost of purchasing the app was seen as the running cost of the scam, to be recouped from their criminal profits. For the threat actors, it was likely a cheap and easy way to access 10 million smartphones.
The breakthrough of SolarWinds
The SolarWinds hack is similar, but in a completely different class. SolarWinds makes and sells monitoring and management software for corporate networks. To provide the detailed, granular information that system administrators need to maintain the effectiveness of the IT resources for which they are responsible, the SolarWinds software requires extremely privileged access rights to the network.
As with the barcode scanner, the SolarWinds software was not the target, it was just the delivery mechanism. SolarWinds Orion is a complete IT stack monitoring and reporting tool. It was compromised by threat actors. They have covertly renamed a Dynamic Link Library (DLL)
SolarWinds.Orion.Core.BusinessLayer.dllThe infected DLL was included in SolarWinds Orion versions 2019.4 through 2020.2.1 HF1. These updates were released between March and June 2020. Like the barcode scanner app, the updates were used to distribute the malware to existing customers. The malware has been named SUNBURST by cybersecurity researchers at FireEye.
The sophistication of the initial breach of SolarWinds’ systems, the complexity of the Trojan code, the exploitation of a zero-day vulnerability, and the technically demanding methods of avoiding post-breach detection all indicate that the perpetrators have a state-sponsored Advanced Persistent Threat Group.
This is further confirmed when you look at the list of victims. They include senior US agencies and federal divisions, operators within US critical infrastructure, international organizations, and private companies. The United States Treasury, the Department of Homeland Security, the Department of State, the Department of Defense, and the Department of Commerce were all victims. In total, about 18,000 installations were affected by the infected updates.
Once the infected updates have been applied to the customers’ networks, the malware installs itself and remains inactive for approximately two weeks. It then makes HHTP requests to the servers of the threat actors to fetch commands, on which it then acts. It provides a back door for the threat actors straight to the infected networks.
The network traffic generated by the malware is disguised as protocol traffic from the Orion Improvement Program (OIP). This helps the malware to go unnoticed. It is also aware of and can dodge and bypass many types of antivirus, anti-malware and other endpoint protection software.
However, one of SolarWinds’ clients was FireEye, a well-known cybersecurity company. When FireEye’s proprietary software assets were stolen, they launched an investigation that found the malware and linked back to SolarWinds.
This is a classic attack on the supply chain. Rather than wondering how to infect all target organizations, the threat actors attacked one of their common suppliers, sat back and waited for the normal update process to take place.
Assessment of your supply chain
To properly assess the risk of a supply chain attack, you must thoroughly understand your supply chain. That means mapping. Pay special attention to network hardware and software providers. If you are using an outsourced managed services provider (MSP), you should be aware that these are valuable targets for the cyber criminals. If they can compromise an MSP, they have the keys to the kingdom for all of the MSP’s clients.
Consider any supplier who regularly sends service or maintenance personnel to your location. If they maintain equipment connected to your network, chances are the service technician will connect to your network when they are on site. If a laptop has been compromised because their employer’s network is targeted, you will be infected. And you may not be the target of the cyber criminal. Maybe it’s one of that provider’s other customers. But in a supply chain attack, many other companies get caught in the crossfire and suffer as collateral damage. Whether you were the target or not, don’t ease the blow if you’re compromised.
Once you have identified those suppliers that directly or indirectly affect your network, you can make a risk assessment. If you look at each supplier in turn, how likely is it that they would be useful in a supply chain attack. What would cyber criminals gain? Who are the provider’s other customers? Are there some attractive goals for a state-sponsored APT group? Intelligence services, anything to do with the military, critical infrastructure, or government services, are risky targets that an APT could try to capture with a supply chain attack.
The downside is that intelligence, military, and government supply contracts are awarded only to suppliers who can demonstrate they are operating safely and have effective cyber security. In exceptional circumstances – and especially when it comes to zero-day vulnerabilities – any organization can be compromised. That’s what happened to SolarWinds.
Discuss your goals and concerns with your suppliers. Can they prove there is certification or compliance to standards related to cybersecurity? Will they reveal their record of cyber security incidents and incident handling? How can you work together to ensure safe operation in your ongoing trading relationships?
Checking new suppliers should become a standard procedure and at least an annual check for existing suppliers. If they are too far away to travel, at the very least send them a series of questions and ask them to complete them and make a statement that what they say is true.
Not only do you need to protect yourself from an attack on the supply chain, but you also need to consider the risk of your supply chain collapsing as a result of a cyber attack – whether you are directly involved in the attack or not. When a critical part of your supply chain collapses, you are faced with a different kind of emergency. Can you get all your critical supplies from other suppliers? What can you do about niche products or services that you cannot easily or quickly obtain elsewhere?
Rather than a single, linear supply chain for critical or strategic deliveries, it may be possible to set up multiple parallel supply lines. If one breaks, the others can continue. This does not increase safety, but it does increase the robustness and durability of your supply chain.
Other steps to take
If you are a SolarWinds customer, you should read SolarWinds security advisories and take appropriate action. See also the Department of Homeland Security Emergency Guideline and follow all applicable guidelines.
The SUNBURST malware used a technique that allowed it to access or generate authentication certificates so that it could access protected services. Trimarc Security has shared a Powershell script that scans a single domain Active Directory forest and reports on any vulnerabilities it finds.