SolarWinds Cyber Attack
SolarWinds Cyber Attack: An Overview
What is the SolarWinds cyber attack? SolarWinds, a significant player in the software sphere, suffered an attack that began in September 2019. As a result of the attack, over 18,000 SolarWinds customers ended up installing updates containing malicious code. Hackers used it to steal customer data and then spy on other organizations.
The SolarWinds cyber attack has been explained from the perspective of the vendors affected, but here’s a look at its process, lifecycle, and global impact.
How SolarWinds Attack Was Carried Out
The SolarWinds assault was a typical supply chain attack. In these kinds of hacks, the attackers don’t go after their victims’ networks directly. Instead, they penetrate the system of a third-party supplier with access to their targets’ network assets. In this case, the third-party supplier was SolarWinds.
Many of SolarWinds’ customers use a system called Orion, which is a performance monitoring solution that tracks the status of SolarWinds' Orion customers. It has privileged access to gather performance data and other information from logs generated by customer IT assets.
This made SolarWinds an ideal target for hackers who successfully gained access to several thousand companies' networks.
SolarWinds Attack Lifecycle
The SolarWinds cyber attack timeline stretched out over six months, during which time the hackers patiently and systematically executed their hack. Here are the most critical milestones in the attack:
- In September 2019, hackers were able to access the SolarWinds network.
- They started testing their code injection in Orion in October 2019.
- About four months later, they injected malicious code called Sunburst into Orion.
- On March 26, 2020, SolarWinds began distributing Orion updates that contained the hackers’ malicious code.
The malware spread as thousands of SolarWinds customers installed the malicious code in the hacked update. Once on a victim’s system, the malware gave hackers access to customer IT systems. At this point, the attackers could install more malware, which enabled them to spy on additional organizations.
Impact of Attack on Organization’s Resource and Assets
In IronNet’s 2021 Cybersecurity Impact Report, 85% of SolarWinds cyber attack victims said the SolarWinds attack had an impact ranging from “small” to “significant.”
One of the most notable impacts was the financial fallout from the attack. On average, the attack cost companies 11% of their annual revenue. The impact was more dramatic in the United States than across seas. In the U.S., the average impact was 14% of annual revenue, while U.K. companies suffered 8.6% losses. Those in Singapore had to deal with a financial hit of 9.1% of their annual revenue.
There were some positive impacts as well, with 81% of survey respondents saying they’re more likely to share best practices with other organizations as a result of lessons learned during the attack.
Some had already started changing their practices. Sixty-seven percent had begun sharing information with their peers in the tech sector. Also, half had started sharing additional information with government agencies.
Key Steps Taken by SolarWinds to Minimize the Losses and Safeguard the IT Environment
SolarWinds jumped to action as soon as they figured out the nature of the attack and how to mitigate it. Because Orion was the gateway for the attack, SolarWinds released patches to eliminate the possibility of Orion being used to spread malware. When SolarWinds took this step, it helped protect customers that needed to allow Orion access to their IT systems.
This safeguarded current and future Orion customers' IT environments because it allowed admins to share IT data without exposing their systems to malware. As a result, the performance metrics and logs Orion uses as it monitors each company’s system could be collected and analyzed by the system without exposing its IT environment to danger.
How Organizations Can Prepare Themselves to Deal With SolarWinds Type of Cyber Attacks
By taking a proactive stance regarding how you audit system performance, use data loss prevention tools, and double-check the effectiveness of security systems, you can greatly reduce the chances of a similar supply chain attack impacting your organization. For example, you can do the following.
Implement Log Management and Security Information and Event Management (SIEM)
A SIEM system works by examining IT logs and looking for anomalous activity that could pose a threat. A SIEM system is, for many organizations, one of the fastest ways to detect a hack. This is because when you feed system logs into the SIEM, it can identify:
- Changes in how your network operates
- Unusual data movement
- Unsafe user behavior
- The presence of unauthorized users
Here are two examples:
- If a server on your company’s network suddenly starts sending out many gigs of data every minute, a SIEM solution could detect that kind of activity, trigger an alert, and pinpoint where it was happening. Then IT admins could immediately take steps to shut down that server or disconnect computers, databases, or other internal resources that could be communicating with it.
- If a database contains proprietary company blueprints, videos, photos, and other sensitive intellectual property, your SIEM could detect the abnormally large movement of data and enable IT staff to put a stop to it.
Audit Active Directories for Changes
An Active Directory monitoring system inspects elements of your network and their activity, auditing what’s happening in real time. This way, if something out of the ordinary happens, the system can detect it.
You can use this information to both stop attacks as they happen and prevent future incidents. For example, by looking at the audit data produced immediately before and during an attack, you can identify the malicious behavior that occurs during that kind of hack. You can also pinpoint the systems that type of hack tries to take advantage of. With this data in hand, security teams can install tools, such as firewalls and web application firewalls, that safeguard the exact components and network segments hackers like to target.
Perform Regular Penetration Tests
Penetration testing is a powerful tool, not just because it lets you know whether your system is vulnerable to different kinds of attacks, but also because it comes with a full report on the overall health of your network. In addition, a comprehensive penetration test can predict the kinds of attacks your system and its assets are most likely to experience.
If you outsource your system's monitoring to a third party like SolarWinds, a penetration tester can provide a detailed outline of the types of attacks that could try to take advantage of that partnership. In addition, a penetration test can also give you a full report on other third-party relationships that could expose you to supply chain attacks, such as those that require you to share customer data outside your internal network.
Bolster Your Data Loss Prevention System
With a data loss prevention (DLP) system, you can easily catch and stop an exfiltration attack and attempts at unauthorized access. For some organizations, DLP solutions can be problematic because they’re so sensitive that they trigger many false alerts. However, you can create a system that filters out the least significant alerts, surfacing those that may pose the most imminent threats. In this way, you reduce alert fatigue while also safeguarding your assets.
For instance, if your DLP sends alerts every time someone enters the wrong password, you can add an extra parameter, such as a geolocation factor, to fine-tune your alert system. For example, you can design your system to prioritize alerts that come from three or more errantly entered passwords—but also those made from IP addresses many miles away from where the authentic user typically logs in.
Regardless of how you use your DLP, the most important thing is to never completely ignore something suspicious. If a SolarWinds-style attack resulted in stolen login credentials, for example, the rules your DLP uses can serve as a powerful first line of defense. You can tune them according to many different parameters.
How Fortinet Can Help
Fortinet’s FortiGate next-generation firewall (NGFW) is an effective tool in stopping zero-day, SolarWinds-style attacks. For instance, a FortiGate NGFW can use machine learning to identify behavioral patterns that indicate threat activity. Even if a zero-day attack’s threat signature hasn’t been logged by the system, FortiGate can identify it based on how it behaves, the port it accesses, and where it comes from.
Fortinet also offers a zero-trust network access (ZTNA) solution that enables employees to work from home or in a hybrid environment without sacrificing network security. Because Fortinet’s ZTNA ensures that only authorized users can access your apps, you can easily stop SolarWinds-type hackers that steal access credentials. For example, they will be forced to prove their identities using multiple credentials like biometric information, rendering a mere username and password ineffective.
In addition, Fortinet’s FortiGuard uses AI-powered systems to enhance the performance of all security solutions connected to the Fortinet Security Fabric. As a result, threats are detected and mitigated faster, providing superior protection across your ecosystem.
For example, FortiGuard Labs has expert threat analysts and researchers that constantly examine applications and third-party products for potential weaknesses. Over two days in September 2022, FortiGuard Labs discovered five vulnerabilities in Netgear appliances that SolarWinds-style attacks could have exploited.