Navigating Cyber Threats: Key Lessons from a Major Security Breach

Navigating Cyber Threats: Key Lessons from a Major Security Breach

Incident Date : 2024 | Topic : Cyber | Region : North America | Tag : Case Study

SolarWinds is a major software company headquartered in Oklahoma, specializing in system management tools for network and infrastructure monitoring. The company serves hundreds of thousands of organizations worldwide, offering a range of technical services. One of its key products is the Orion IT performance monitoring system.

In December 2020, SolarWinds discovered that a group of hackers gained access to the networks, systems, and data of thousands of SolarWinds customers. Investigations revealed that attackers had begun their preparations nearly two years earlier, in 2019. That year, they stole an employee’s information and gained access to the SolarWinds network. Over several months, they repeatedly entered and exited the network, obtaining more access permissions each time. The attackers downloaded approximately 7 million emails from 70 managers and employees and copied source code. It was found that more than 18,000 of SolarWinds’ customers had inadvertently downloaded manipulated versions of their software. By doing so, the attackers accessed SolarWinds’s customer information technology systems, which they could then use to install even more malware to spy on other companies and organizations.

The attackers used a sequence of steps that well demonstrates what is often named “cybersecurity kill chain methodology”, the model which describes the stages perpetrators follow while carrying out cyber-attacks, from initial reconnaissance to data exfiltration.

The attackers began with reconnaissance, collecting detailed insights into SolarWinds’ software development and distribution methods. This was followed by weaponization, where they embedded malicious code (SUNBURST) into legitimate software updates. These updates were then delivered to unsuspecting clients as regular updates. Upon installation, the malware exploited system vulnerabilities to create backdoors, establishing stealthy persistence within the networks. The installed malware connected to attacker-controlled servers to receive commands and exfiltrate data, effectively taking control over the compromised systems. Through these actions, the attackers not only stole sensitive information but also gained the potential to disrupt operations, emphasizing the attack’s sophistication and the critical need to detect and mitigate threats at each stage of the kill chain to prevent such significant breaches.

Another insight from this cyber incident is that SolarWinds was presumably chosen because it provides services to numerous governments, corporations, and organizations. This highlights the crucial need for companies and governments not only to secure their own assets but also to ensure the cybersecurity standards of external vendors they rely on. In addition, during the investigation of the attack, it was revealed that SolarWinds had previously received concerning intelligence which was not adequately prioritized.

Months before the attack, both the U.S. Department of Justice and cybersecurity firm Palo Alto Networks had informed SolarWinds of unusual external communications from their Orion software. This highlights the importance for service providers to critical entities, such as government agencies, technology giants, and policy institutions focused on national security, to maintain a heightened awareness of any suspicious activities and to attentively consider any alarming feedback from their clients, especially when handling sensitive data.

It is suspected that this major cyber-attack was carried out by a group backed by the Russian government, aiming to infiltrate United States federal government organizations that were SolarWinds’ customers. The astonishing level of time, funding, and precision invested in executing the attack emphasizes its complexity and meticulous planning. Given the scale and sophistication of this cyber-attack, it is plausible to assume that such operations may have been and are likely financed by government-level resources.

ASERO is uniquely positioned to help prevent cyber incidents like those experienced by SolarWinds, thanks to its team of globally recognized cyber security pioneers. ASERO stands at the forefront of cybersecurity with a team of world-leading experts and a proven track record. Our advanced cybersecurity strategies, customized for entities like government agencies and major corporations, leverage the latest technological practices to safeguard critical infrastructures. Our services include cybersecurity risk assessments, penetration testing, and the development of robust security policies and procedures, ensuring comprehensive protection against today’s evolving cyber threats.