What is the SolarWinds hack? Everything you need to know
While it’s been a few years since the infamous SolarWinds hack, its effects are still rippling through the cybersecurity world today. What many believe to be the largest and most sophisticated attack ever has affected multiple organizations and left many questions unanswered. How did hackers manage to breach the company? Why did they carry out the attack? And could it happen again? In this article, we delve into the story of the most notable cyberattack of 2020.
Table of Contents
Table of Contents
What is SolarWinds?
SolarWinds is a U.S. company that develops IT software for businesses, helping them manage their networks, systems, and information technology infrastructure. Founded in 1999 in Tulsa, Oklahoma, today SolarWinds operates worldwide from its Texas headquarters, serving clients from Fortune 500 companies and other global corporations.
As a global leader in business IT software, among all of its services, SolarWinds provides network monitoring, management, and security solutions, allowing its clients to optimize and keep a check on their infrastructure. Until 2020, the company had achieved huge success, signing contracts with the U.S. federal government, NATO, the European Parliament, and global business companies. But then, a huge misfortune in the form of a supply chain attack changed everything.
What was the SolarWinds hack?
In December 2020, the cybersecurity firm FireEye (a customer of SolarWinds’ Orion platform) detected suspicious activity within its network. FireEye’s investigation revealed that the attack originated from a compromise of SolarWinds’ Orion software updates. The cybersecurity company published its discovery, prompting investigations from various government agencies and cybersecurity experts, which confirmed that the SolarWinds network suffered a supply chain attack.
Further investigations revealed that through compromised SolarWinds systems malicious actors gained access to the data of its clients, including government agencies and business corporations. SolarWinds estimated that at least 18,000 of its clients have been directly exposed to the threat actors through malicious codes inserted in the software update patches.
How did the SolarWinds hack happen?
Specialists believe that the perpetrators of the SolarWinds cyberattack used a compromised employee account to gain unauthorized access to SolarWinds’ software build environment. There, they modified SolarWinds’ Orion software patches, injecting them with malicious code, capable of creating backdoor access accounts in the customer networks.
The company, unaware of any wrongdoing, sent modified software to its clients as upgrade packages. Orion software users, multinational corporations and government agencies alike, installed the malware in their systems, allowing hackers to access the data stored in databases such as banks, major global businesses, and federal agencies.
SolarWinds hack timeline
Experts suspect that the SolarWinds hack took place months before its notice in December 2020. Here is a preliminary timeline of the events:
- September 2019. Malicious actors gain access to the SolarWinds’ network.
- October 2019. Malicious actors test the initial code injection into Orion (SolarWinds’ infrastructure monitoring platform).
- February 20, 2020. With the test complete, the hackers inject Sunburst (a malicious code) into the Orion software.
- March 26, 2020. SolarWinds, unaware of any wrongdoing, starts sending out modified Orion software updates with malicious code inside them.
- December 2020. FireEye discovers signs of suspicious activity in its systems and conducts an inquiry to expose the hack.
- December 13, 2020. FireEye publishes the results of the investigation, starting a chain reaction of extensive government investigations and increased scrutiny of software supply chains.
The aftermath of the SolarWinds hack extends the timeline to this day, with the U.S. Securities and Exchange Commission (SEC) continuing the investigation into how technology and telecom companies handled the cyberattack.
What caused the SolarWinds hack?
While there have been many opinions on the cause of the hack, a few years after the incident, we can now clearly define the key reasons that led to this attack.
SolarWinds’ poor cybersecurity
While blaming the victim might sound insensitive, the evidence suggests that SolarWinds did little to prevent this attack. According to various sources, the company did not employ a chief information security officer or senior director of cybersecurity and even had been warned about its cybersecurity vulnerabilities (such as unsecure File Transfer Protocol (FTP) servers and compromised employee account passwords) prior to the attack. Yet, despite the warnings, the company did little to nothing to enhance its cybersecurity practices.
Sophisticated adversaries
While SolarWinds’ cybersecurity wasn’t a particularly tough cookie, the perpetrators of the hack were no amateurs either. Cybersecurity specialists believe that the attackers were experts in their field, likely nation-state threat actors or state-sponsored entities.
Supply chain vulnerability
Complex yet poorly protected, SolarWinds software supply chain allowed attackers to gain access to the system through multiple entry points. As a result, the hackers managed to remain hidden long enough to compromise the software’s build process unnoticed.
Who was responsible for the attack?
While the exact perpetrators of the SolarWinds hack are unknown to this day, cybersecurity experts and government officials suspect it to be the work of Russian hackers. Some private cybersecurity firms and researchers have even presented evidence indicating that the hack could have been committed by the Russian-state hacker group APT29 (also known as Cozy Bear).
However, while numerous federal and cybersecurity agencies strongly indicate that the SolarWinds hack was indeed a state-backed Russian hacker attack, some sources claim that Chinese hackers could have used the same code as well. It is also possible that the hacker groups from the two countries have exploited the same malicious code simultaneously to gain access to their desired data.
Who were the victims of the SolarWinds hack?
Out of 300,000 SolarWinds customers, 33,000 used Orion at the time. According to SolarWinds, of these 33,000 companies, around 18,000 installed software updates with malicious codes in them.
The companies included FireEye, government agencies such as the U.S. Department of Homeland Security and Department of Defense, some of the Fortune 500 companies, and thousands of other global technology firms, businesses, and government institutions.
How could the SolarWinds attack have been prevented?
While it’s hard to know for certain whether the SolarWinds hack could’ve been prevented, experts claim that the hackers would’ve had significantly more trouble gaining access if the company had listened to the expert warnings and implemented stronger cybersecurity measures.
According to the SEC reports, SolarWinds had the opportunity to fortify itself from the potential backdoor attack. However, when confronted by the former employee about the security gaps in the company’s virtual private network, the management chose to push back.
The best approach to limit SolarWinds’ attack could have been to make lateral or vertical movement through the system as difficult as possible. However, additional security features like the implementation of intrusion detection systems or continuous employee training in cybersecurity (an especially strong authentication measure) practices could have also aided in securing the company’s software supply chain.
Why is it important to talk about the SolarWinds cyberattack?
The SolarWinds hack is one of the most significant cyberattacks in history. It exposed thousands of corporations and government agencies worldwide, providing a valuable lesson to those not keen on taking cybersecurity seriously. Billions in lost dollars, stolen sensitive data, and reputational damage have left a mark not only on SolarWinds but on all the affected institutions, putting a massive emphasis on improving corporate cybersecurity practices.
Finally, the hack prompted significant shifts in corporate approaches to cybersecurity, triggering global policy changes and encouraging further discussions on collective actions needed to combat sophisticated cyberattacks. It’s important to continue talking about SolarWinds as a constant reminder that action, communication, and ownership are vital to creating a secure cyberspace for online entities and individuals.
Want to read more like this?
Get the latest news and tips from NordVPN.