The ‘SolarWinds’ cyberattack on the US government and several other private organisations across the world is one of the biggest ‘supply-chain’ attacks to have been reported in recent times. The attack was first highlighted by cyber-security FireEye on December 8, when it found itself under attack. Since then more revelations have come to light, which showcase that the scale of this attack is one of the largest and global in nature. The big target though appears to be the US government.
The Federal Bureau of Investigation (FBI) in a joined statement with the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) called this “a significant and ongoing cybersecurity campaign.” All three agencies are now investigating the attack.
Microsoft also issued a statement this week saying it had found evidence of the malware used to target the SolarWinds software in its networks. CISCO is the latest victim to have confirmed that it too was compromised by the attack.
Here are five points to note about this cyber-attack based on what has been revealed so far:
SolarWinds and Orion software
According to FireEye, the manner in which the attack was carried out indicated this was a supply chain attack. This means the attackers, who according to FireEye had access to advanced capabilities and were extremely focused, chose to target the companies supplying software to the US government and other private players.
Hackers targeted a software called Orion, an IT management software made by a Texas-based company called SolarWinds. FireEye has called the malware ‘Sunburst’, which was added to an update for Orion. The update then got installed by 17,000 of SolarWinds’ customers.
A long campaign
What is most worrying about the SolarWinds’ hack is that this seems to have been a long campaign which carried on surreptitiously for many months. FireEye says the campaign began in Spring of 2020.
According to SolarWinds, the cyber-espionage campaign began in March 2020 and continued undetected for many months. FireEye only found something was wrong when they were attacked and their own cybersecurity tools stolen, and began investigating their attack.
Well-hidden attackers, monitored their targets
According to FireEye’s posts, the attackers were really smart and had access to sophisticated tools. They were able to stealthily enter the networks of their intended target and then monitored their targets and their network data. According to a Reuters report, even emails written by members of the Department of Homeland Security were monitored by the attackers.
FireEye says there is evidence of data theft taking place. The attackers hid in the systems of the US government agencies, private organisations for months, and managed to ‘blend’ in and kept a low profile, which is why they went undetected for so long.
FireEye says the attack is state-sponsored, and while several US government officials and reports point fingers at Russia, the cyber-security firm has refused to name any country.
In FireEye’s blog post, its CEO Kevin Mandia wrote, “We are witnessing an attack by a nation with top-tier offensive capabilities…The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus.”
US Senator Mitt Romney has compared the attack to “a modern equivalent of almost Russian bombers reportedly flying undetected over the entire country.” He also criticised the White House for remaining silent on the issue.
In an opinion piece written for The New York Times, Thomas P Bossert, former Homeland Security Adviser for President Donald Trump, also named Russia for the attack and said it points to Russian intelligence agency known as the SVR. Russia has denied any involvement in the attack so far.
Several reports have indicated that the sophisticated nature of the attack means that Russia was the likely perpetrator, though there is no official confirmation. In a blog post, Microsoft also mentioned Russia saying “attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.”
— Senator Mitt Romney (@SenatorRomney) December 17, 2020
CISCO is latest victim to confirm they were hacked
Cisco Systems has also confirmed it was hacked as part of the cyberattack campaign. Bloomberg reported that some internal machines used by Cisco researchers were targeted.
A statement by CISCO said, “While Cisco does not use SolarWinds Orion for its enterprise network management or monitoring, we have identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints. We continue to investigate all aspects of this evolving situation with the highest priority.”