Some cyberattacks are so groundbreaking that it takes some time before we can fully examine what happened and what we can learn from the incident. Such was the case with the SolarWinds cyberattack, which was the largest attack of its kind to date. In a virtual session during the 32nd Annual ACFE Global Fraud Conference, Stephen Head, CFE, who specializes in information security, recounted the attack and outlined how organizations can take steps right now to build better protection.
What is SolarWinds?
SolarWinds creates information technology products used to monitor networks, identify potential problems, run preventative maintenance and prevent systems from crashing. To do what they do, many of their tools have elevated access to information in their customers’ networks. Because SolarWinds products are used by many Fortune 500 companies, every branch of the government and many state governments, their products control a wealth of data.
The SolarWinds attack sounds simple from an outsider perspective, but it was actually a highly advanced action with several steps that were all tediously planned. Simply put, hackers inserted a malicious code into a SolarWinds product update, which was then released to customers whose information was subsequently compromised. Hackers chose to attack the SolarWinds Orion product, which has privileged access rights across the whole enterprise so that it can perform major network infrastructural and database management. Head said, “When we’re looking at the SolarWinds compromise, we’re not looking at a bunch of teenagers in a basement; we’re looking at a highly sophisticated, highly motivated attack.” The hackers, potentially working in a team with as many as 1,000 people, had specific interests and target companies, and they orchestrated a detailed scheme to gain intellectual insight.
The timeline of the attack
In September of 2019, hackers accessed the SolarWinds network for the first time. Head explained this most likely occurred through a phishing attempt or a penetration software that allowed them to gain a foothold within the SolarWinds network from which they could expand their level of access. The threat actors then injected a test code for a month, during which they were careful to not be discovered. After removing the test code, they developed a malware code that they injected into the SolarWinds network in February of 2020.
The malware code specifically targeted development platforms in the SolarWinds Orion software. Their goal was to inject the malicious code as a planned update for the system prior to the update being certified and packaged to be sent to customers. In June of 2020, they removed their code after they achieved what they wanted.
The software update went out to customers who downloaded it onto their systems. For a series of days, it ran in stealth mode and remained dormant so it wouldn’t cause an immediate red flag if any customer completed a security check of new software. Once in place, it gathered information and sent it back to the attackers.
It wasn’t until December of 2020 when SolarWinds was made aware of the malware by one of their customers who had detected something attacking their systems. Within days, SolarWinds had developed a software fix, but many customers and technology specialists were shocked that no one in the SolarWinds development staff had noticed the code was added. The whole scheme took place over more than a year, which speaks to how carefully the hackers planned every move of their attack.
Why was it not detected?
The next logical step for any anti-fraud professional is to question why the threat was not noticed before it was sent to customers. Head has a few theories to attempt an explanation, the first of which calls for a reevaluation of workplace priorities. “They probably spent too much time focusing on protecting the production environment and not protecting the development environment,” he conjectured. By shifting focus, the SolarWinds team could have potentially discovered the malicious code.
Additionally, Head noted “This was a highly sophisticated attack, so just by the nature of the attack, the hackers made every effort to ensure that they would not be detected.” He clarified some of the detailed measures the hackers might have taken to cover their footsteps:
Their malicious software used the same naming conventions as SolarWinds software and used legitimate file names.
The threat actors turned off event loggings at certain times and changed network configuration services to make detection more difficult.
They renamed server tools so it wouldn’t look suspicious as their code executed other code.
They wiped their trail with data wiping technology.
They disguised files and made them password-protected while they were exporting them back to the hackers.
What organizations can learn from the SolarWinds attack
The impact on businesses from an attack like the SolarWinds incident can be significant. The stolen customer data, sensitive information and intellectual property can result in decreased public trust in the company. The good news, though, is there are ways organizations can prevent, respond to and recover from cybersecurity attacks. As Head warned, “It’s not a matter of if you will be attacked, but when you will be attacked, so it’s best to go ahead and be prepared for that ahead of time.”
Head believes in the power of strong protections, and robust detection and monitoring controls. Beyond the technical side, he also suggested strengthening the way security is approached among a company’s workforce. “I’ve heard it said in companies, ‘our people are our weakest link.’ How can we flip that on its head and start thinking ‘how can we make our employees our strongest link in the security chain?’,” he posed to the virtual attendees. He also offered several ways to protect organizations before an attack occurs:
Review supply chain and vendor risk management; ask vendors for software and due diligence reports.
Implement mechanisms that ensure there is no trace of malicious code.
Build a “zero trust architecture” – protect what’s inside the network so that you don’t depend solely on protection from the outside.
Split computer networks into different segments so an attacker doesn’t gain access to everything at once.
Make sure the right people have the correct access privileges, especially when someone changes roles within the organization or leaves.
Consider outsourcing security operations to companies that specialize in it so security management doesn’t get pushed to the side during busy times.
Create plans for detection, analysis, mitigation, containment, eradication and recovery.
Audit proactively, including technical audits and audits of cyber defense departments themselves.
Train employees, third-party providers and contractors about security awareness.
Read cyber insurance policies carefully so you know what is covered during a breach and what isn’t.
Stay aware and educated about what is in your environment so it is easier to notice when something intrudes.
Complete a post-incident analysis of lessons learned and ways to strengthen your organization’s security.
Cyberattacks are not isolated events, and unfortunately, Head says, “They are more common than you realize.” By implementing some of his suggestions proactively, there might be a greater chance of reducing risk, which is something all fraud examiners can support.