Three years ago, a seemingly innocuous routine software update from Texas company SolarWinds allowed for one of the most sweeping cyberattacks in American history.
While in the past, it remains profoundly in the minds of cybersecurity professionals and has even recently worked its way into Cryptography coursework. The fallout, according to some recent estimates, could cost as much as $100 billion.
Its notoriety is lasting, partly due to the sophistication of the attack, and that it targets the soft underbelly of the supply chain – a company’s worst nightmare come true.
SolarWinds was targeted because it enabled hacker access to Microsoft, Intel and Cisco, federal agencies (including the Treasury, Justice and Energy departments as well as the Pentagon), and even the Cybersecurity and Infrastructure Security Agency tasked with safeguarding federal networks from cyberattacks, according to NPR reporting. The Wall Street Journal added to that list: Deloitte, the California Department of State Hospitals, and Kent State University.
For nine months, Russian hackers, believed to be directed by the Russian intelligence service called the SVR, were able to poke around in government and private company networks, unnoticed.
Dirty Code Patiently Planted
The routine update to the SolarWinds software program called Orion was tainted with malicious code and used as a guise for the colossal attack against American interests.
Although the hack could have impacted 18,000 SolarWinds customers, the dirty code would only work under specific circumstances: victims had to download and deploy the update and networks had to be connected to the internet to enable server communications for the hackers.
For this reason, SolarWinds leaders estimate the actual damage to be to roughly 100 companies and about a dozen government agencies.
NPR’s extensive investigation “reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.”
The worry, according to NPR, is that the same path that allows Russians to access and steal data could also enable them to destroy or alter it.
“The speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye,” one senior administration said during a background briefing from the White House according to NPR. “And a defender cannot move at that speed. And given the history of Russia’s malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.”
In the case of the SolarWinds attack, the hackers ran a master class in novel techniques, according to NPR.
“They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight,” according to the article. Then, they swept away any clues, all evidence that could definitively lead investigators to them. The Biden administration said Russian intelligence was behind the attack, without a doubt. Russia denied the allegations.
Past Hostile Hacks
Such suspicions could harken back to the 2017 ransomware attack called NotPetya, a product of the Russian military, which is still regarded as the most costly and destructive cyberattack in history.
NotPetya also began with tainted software, but hackers “planted ransomware that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers.”
Intelligence officers remain concerned that the SolarWinds attack might be the first step to a larger attack: it remains unclear if they were simply reading emails or if they were planting something far more destructive for future use.
“Investigators and security experts say that besides internal communications and other government secrets, hackers may have sought emails of corporate executives, files about sensitive technologies under development, and other ways to compromise more systems later,” according to the Wall Street Journal.
Major technology companies, including 400 Fortune 500 companies and the impacted government agencies, are left questioning even years later whether the hackers were still inside, despite their best security patches.
Industry experts describe the attack as sophisticated, stealthy, and strategically focused on a weak link in the software supply chain “that all U.S. businesses and government institutions rely on –an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way,” according to WSJ.
The attack started with a single string of code, a test, and once that was successful the hackers waited patiently and sorted how to get their code beneath the factory seal. It was a process that took months, but ultimately, they inserted the tainted code at the last possible second, when the code transitioned from human-influenced source code to computer-read executable code—just before being shipped to consumers.
“When there’s cyber-espionage conducted by nations, FireEye is on the target list,” said Kevin Mandia, CEO of the cybersecurity firm FireEye to NPR. His company first discovered the breach when it detected malware spreading to its customers and was able to identify the tainted update.
He believes there are other less apparent targets that now might need more protecting. “I think utilities might be on that list. I think health care might be on that list. And you don’t necessarily want to be on the list of fair game for the most capable offense to target you,” he explained to NPR.