The SolarWinds Hack and What It Means For Your Organization
Many thought that the recent FireEye breach was the last major cyber incident in 2020. However, it has now emerged that it was just a small portion of a massive supply chain attack that originated from SolarWinds’ Orion network management software.
The SolarWinds hack has impacted many private organizations, the US Departments of Treasury and Commerce, the Pentagon, and several federal agencies. Although we are yet to receive full details on the scope and severity of the attack, several reputable publications are already alluding that it could be “the greatest hack attack” of all time.
Here’s all we know about the SolarWinds hack and what it means for your organization. To get started please watch our latest video on YouTube:
How Did SolarWinds Get Hacked?
Bad cyber actors intercepted SolarWinds’ development operations and inserted a malicious code inside a software update that the company released in March. Once companies installed the compromised software, it “phoned home” to the attackers and allowed them to access the users’ systems. Since the update was digitally signed and released by SolarWinds, most organizations didn’t suspect anything until FireEye’s discovery.
Russia has denied having a hand in the breach. However, several government officials and cybersecurity experts have concluded that the hack bears the strains of Russia’s nation-state hacking group Cozy Bear (ATP 29).
The attack’s reasons are yet to be understood, but experts suspect espionage and think that its impacts will be felt for several years to come.
Which Organizations Have Been Affected By The SolarWinds Hack? According to SolarWinds, 18,000 out of its 30,000 customers had already installed the malicious software when they realized something was amiss. But this is just an estimate of the primary victims; the number could be higher as investigations deepen.
All the SolarWinds clients are currently undertaking systems audits to determine if the hack affected them or their affiliates. Already, Microsoft has confirmed that the breach impacted it. The tech giant has acknowledged that more than 40 of its customers across eight countries had already installed the compromised software. However, it holds that there’s still no evidence whatsoever of unauthorized access of user credentials. “Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Is Your Organization At Risk? First, only the SolarWinds clients who loaded the Orion software’s March update are vulnerable to this hack. So far, the company says only 18,000 of its users installed the upgrade. However, even if your business loaded the update, the chances are that your systems are still safe. Why? 18,000 is a big target for any bad cyber actor to breach at once, even for a nation-state group like ATP29. The chances are that they prioritized high-value targets like multinational companies and federal agencies.
However, this doesn’t mean you’re any safer. Now that you have discovered the hack, the attackers are probably burning the midnight oil hiding their tracks and creating backdoors to return in the future.
There’s no telling who is or isn’t at risk. Even if your business doesn’t use SolarWinds, it could still be a potential target. How? If your company uses a third-party or vendor that runs this software, they could be compromised. And if they’re connected to your corporate network, the attackers can use the connection to enter your systems.
What Should You Do as An Organization?
Assume that you are a potential target and take all the necessary precautions. Because to be honest, the SolarWinds hack has taught us that nobody is safe or immune.
- Activate Incident Response Plan: This involves decommissioning the software and conducting a comprehensive search for Indications of Compromise (IoCs). If you don’t have an IRP, refer to the SolarWinds Orion security advisory here.
- Conduct An Extensive Network Assessment: Some cybersecurity experts believe that the attackers were in SolarWinds’ systems months before launching the attack and could have even conducted a mock attack a year ago. The same applies to you. You can only ascertain this by auditing your network for any malicious activities. Also, be on the lookout for backdoors that the attackers may be creating to return in the future.
Above all, you must be extra careful when sourcing software vendors and IT service providers. This is not the time to rely on lackluster IT support. Parkway Tech boasts over a decade of helping southeast U.S. organizations implement and maintain robust intrusion detection and prevention measures.
