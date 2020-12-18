The big story in the digital world this week has been referred to as the “SolarWinds Saga.” You have probably never heard of SolarWinds, but I can almost guarantee your personal data resides on networks affected by this devastating attack.
SolarWinds makes and sells software that manages large networks. Like other software vendors, it has a special location called a “software repository” where they work on new products and where they create updates to existing software. Sometime in March 2020 their software repository — having been previously breached by an extremely sophisticated threat that experts are attributing as Russian — was used as a trampoline to distribute malware through a product patch.
SolarWinds estimated that 18,000 customers had installed the malicious patch, including the Department of Justice and the Department of Commerce. The malware has infected organizations in North America, Europe, Asia and the Middle East. Industries affected include software makers, health care, energy and government. SolarWinds was the leader in the network and system monitoring tools with more than $300 million in revenue for the infected product. The impact is huge.
The malware in the SolarWinds patch was initially identified as the cause for the FireEye breach. FireEye is one of the largest cybersecurity firms in the world. Its private repository of penetration testing (hacking) tools was stolen by cyber criminals.
Bloomberg had this to report:
“It was clear from the start that a cyber-attack by suspected Russian hackers aimed at several U.S. government agencies was going to be bad. One clue: National Security Advisor Robert O’Brien cut short a trip overseas early this week to rush back to Washington to help manage the crisis.
But on Thursday, the reality of just how sprawling — and potentially damaging — the breach might be, came into sharper focus. It started with a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, warning that the hackers were sophisticated, patient and well-resourced, representing a “grave risk” to federal, state and local governments as well as critical infrastructure and the private sector. It didn’t take long to see how accurate the agency’s assessment was.”
Anecdotally, if I’m a highly sophisticated nation-state actor and I have a foothold in the repository of a huge software vendor, am I going to infect only one product? The answer is no. I’m going to infect as many software packages as I can to get the biggest bang for the buck.
Because of the breadth, depth and scope of this attack, some in the industry refer to it as an act of war. In the digital world, this may end up wreaking havoc on an untold scale. This may be bigger than the 2015 Office of Personnel Management breach.
In talks today with our cybersecurity experts at CyberEye, we’ve concluded that the most effective solution to PREVENT this kind of attack — called a supply side attack — is for end users to implement a default deny posture and implement application level zero trust policies. Those SolarWinds clients who had done so would have been unaffected by this attack.
And for those currently compromised, this approach, if implemented now, will stop the hemorrhaging.