SolarWinds was a huge security breach. Over 18,000 government agencies and companies were infected by a Trojan horse, which installed a digitally signed backdoor into the network.
FireEye, a cybersecurity company, discovered one line of code in a SolarWinds Orion update. This was while they were investigating their own hack. It was December 13, 2020. FireEye estimates that hackers gained access for the first time in March 2020. Nearly eight months ago, malicious actors stole untold quantities of sensitive data from infected organisations — and the full extent of the breach is still being discovered.
Although Microsoft seized the code’s command-and-control server (a common element of botnet attacks) some security experts believe that the attackers may still be able to access the SolarWinds Orion software framework. Others speculate that the hackers may have left behind additional, yet to be discovered malicious code.
The SolarWinds data breach may be the largest in history, both in terms of scale and impact. Its effects are likely to last a long time and affected companies are still trying figure out how to fix it. Let’s first look at how the attack happened.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingHow the SolarWinds attack works
SolarWinds was a supply-chain attack, also known as a third party attack. Hackers targeted the IT management software used by hundreds of thousands of businesses, rather than attacking thousands of companies. These 18,000 companies received an update in Spring 2020 that contained the malicious code.
Here’s Keith Barker, SPOTO trainer, giving a detailed explanation of the SolarWinds hack:
Keith explains that the SolarWinds attack was a supply chain attack. This is not a new type. The 2018 Equifax breach and the 2014 Target breach were likely due to security vulnerabilities in third-party suppliers. To protect against such attacks, the DoD recently implemented the Cybersecurity Maturity Model Certification.
SPOTO trainer and security expert Bob Salmans explains the stages of an APT attack to explain what companies should do to recover from it and how they can detect new attacks.
6 Stages of APT attacks (and how to detect them)
Advanced Persistent Threats are a cyber equivalent of evil cyber ninjas. These hackers are well-funded, highly skilled groups that are hired by countries or groups to steal data. These data could include data related to defense, such as missile defense systems or the next super-elite fighter plane, medical breakthrough data like a vaccine for COVID-19 or the Colonel’s secret recipe.
APTs are well-funded, which means they can hire the best people and have the tools they need. They are quiet and cunning, which is why I liken them with evil cyber ninjas. They can go unnoticed for many months or even years in a compromised environment, such as the SolarWinds attack.
Although APTs are skilled, quick, and dangerous, they often use a similar attack pattern, which allows organizations to detect their entry and movements.
Stage 1: Target identification
The sponsor of APTs will determine the type of data they wish to obtain. The APT will then determine which organizations may have the data. They will then have a list to target. The situation may dictate that the APT sponsor may also provide a list.
How to detect Target Identification: One way to determine if your organization has been attacked by an APT is to look for domain names that are very close to your company’s name. Wigets.com is a domain that is very similar to widgets.com, for example.