SolarWinds: New Information Surfaces About The “Most Sophisticated Attack Ever”
Earlier this year, we wrote about what happened when SolarWinds, an I.T. management software and remote monitoring platform, suffered a major data breach.
From the spring of 2020 on, SolarWinds’ enterprise platform, Orion, was compromised by attackers. The Orion update servers were weaponized, affecting 18,000+ organizations, including government offices such as the U.S. Treasury, Justice and Commerce departments.
These hackers flew quietly under the radar, so SolarWinds didn’t uncover this breach until December 2020. Once found, it was discovered that cybercriminals had inserted malicious code into a software update, sending this malware to thousands of clients. From there, the attack branched further and further because it was utilizing third-party apps with privileged access to Office 365 and Azure products.
The U.S. Government has officially labeled the attack as a highly sophisticated espionage operation by a Russian-backed group. Since then, more information has trickled down as experts have learned more about the impact the event had. This furthers the notion that this is considered one of the most significant and devastating breaches in history.
How Did This Happen?
The short answer? Experts still aren’t sure.
This attack was a highly complex operation – that’s why it’s taken months even to begin to untangle its origins.
Here’s what we do know – this breach was unearthed after suspicious activity was noted in SolarWinds’ Office 365 environment, which led to the discovery of a compromised employee email account.
This email account was then used to access targeted SolarWinds business and technical personnel. By compromising the credentials of high-level SolarWinds employees, the threat actors could gain access to and exploit their Orion development environment.
But as for the details of the compromised email account and commandeered software update, that remains to be seen. A SolarWinds update stated the company is still investigating the attack and working with additional security companies for help.
Although the execution was intricate, the goal was simple: compromise as many administrative credentials as possible. Current theories believe that this could have been accomplished through a zero-day vulnerability in a third-party app.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has warned that multiple other infection vectors could have been used as well. For example, Volexity reported that cyber hackers stole and modified a specific cookie that allowed them to bypass multifactor identification tactics. The CISA also states that it is likely that other malicious vectors haven’t even been discovered yet.
What Does This Mean for My Business?
Switchfast does not use the SolarWinds Orion monitoring platform, so your infrastructure is not currently at risk. With the information available to us, we can say that we have not identified any such intrusions that would affect our clients. And to keep it that way, we’ll continue to keep a close eye on this situation and any additional updates.
With that being said, we strongly suggest you continue to follow online safety best practices. The more defenses you have against breaches like this, the less likely it is that you’ll be a victim of a digital disaster.
Remember to:
- Keep your antivirus and anti-malware software updated
- Consistently update your devices to avoid any missing patches or bug fixes
- Remind your employees to not click or download email attachments from unknown senders
- Mandate that your employees choose strong passwords
- Choose a password manager for your company
- Make sure your internet connection is secure and keep your antivirus programs up to date
- Implement zero-trust practices
If you have further questions about how your small business can stay protected against potential threats like these, we’re here to help. Download our free guide to keeping your company safe from cybercriminals today.
