Over the past week or so investigations into the recent SolarWinds attack which made international headlines in December 2020 have or are close to concluding. The revelations of the investigations show a truly massive scale of operations employed by the attackers, with many, including the US government, believing Russian state-sponsored hacking groups were involved. Major tech industry players were impacted like Microsoft and FireEye, along with government agencies with varying responsibilities. Microsoft should be applauded for their candor throughout the incident as well as their investigations that have helped keep the public informed.
In a recent interview with CBS News’ 60 Minutes Microsoft president Brad Smith answered many questions as to the scale of the attack and Microsoft’s unprecedented response to the incident. As to the scale, Smith and many others believe that the attack may have been the largest and most sophisticated the world has seen. Other reports estimate that 18,000 organizations may have been impacted by the attack.
Among important US agencies the US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE) confirmed that they had been impacted. The Wall Street Journal further estimates that 30% of the organizations impacted had no direct to SolarWinds or the impacted Orion product. This shows that it was not only Orion that was abused to gain access to targeted organizations.
As to the hacking operation, Smith noted that over a 1,000 hackers must have worked on the operations given the scale. Just to investigate the incident Microsoft dedicated 500 engineers. One of their discoveries was the code injected into the SolarWinds’ Orion product via a supply chain attack. The code injected was 4,032 lines of code, this sounds a lot but when it is considered that Orion has millions of lines of code, just over 4,000 would surely slip by most people’s notice. Smith warned, and has previously done so, of the danger posed by hackers who can infiltrate supply chains. In the interview Smith stated,
“While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy…on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency.”
Also interviewed was Kevin Mandia, CEO of FireEye, who answered questions about how the attackers were only detected after the damage was done. In FireEye’s case, the attackers had managed to enroll a second phone connected to a FireEye employee's account for its two-factor authentication system. Employees need that two-factor code to remotely sign into the company's VPN. In the interview he stated,
“Just like everybody working from home, we have two-factor authentication…A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that the individual had two phones registered to their name. So, our security employee called that person up and we asked, ‘Hey, did you actually register a second device on our network?’ And our employee said, ‘No. It wasn't, it wasn't me.’”
Microsoft Assets Stolen
Following the interview, Microsoft published their key finding regarding the incident. The good news is that Microsoft confirmed no evidence that hackers abused its internal systems or official products to pivot and attack end-users and business customers. However, confirming a previous blog post and covered in an article on this publication, that source code belonging to the Redmond tech giant was accessed. The scale of this was minimal, as only certain files were accessed from repository searchers, meaning that the attackers did not access the code to entire internal projects.
Beyond just viewing sets of code, the attackers did manage to download source code belonging to the Azure, Intune, and Exchange projects. However, the findings of the investigation showed that no damage was done to customers or that the stolen code led to attackers accessing the personal data of customers. Microsoft believes that several important lessons were learned, with the major one being a strengthening of their zero-trust policy, stating,
“A Zero Trust, “assume breach” philosophy is a critical part of defense. Zero Trust is a transition from implicit trust—assuming that everything inside a corporate network is safe—to the model that assumes breach and explicitly verifies the security status of identity, endpoint, network, and other resources based on all available signals and data. We’ve recently shared guidance for using Zero Trust principles to protect against sophisticated attacks like Solorigate [Microsoft’s classification of the attack]…Protecting credentials is essential. In deployments that connect on-premises infrastructure to the cloud, organizations can delegate trust to on-premises components. This creates an additional seam that organizations need to secure. A consequence of this decision is that if the on-premises environment is compromised, this creates opportunities for attackers to target cloud services.”
White House Investigation
Given the number of US government agencies that were impacted by the attack, it is little wonder the White House called for an investigation. Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House gave a press briefing highlighting the concerns the White House has. One such concern is the possibility of future compromises stemming from the attack given its scale. In the briefing, it was noted that nine government agencies had their cybersecurity perimeters. Neuberger, who is a former director of cybersecurity at the National Security Agency, noted that many of the private organizations impacted form part of sophisticated company networks and whose products could be used in the future to again compromise targets. Neuberger noted,
“When there is a compromise of this scope and scale both across government and across the US technology sector to lead to follow-on intrusions, it is more than a single incident of espionage. It's fundamentally of concern for the ability of this to become disruptive…As a country we chose to have both privacy and security, so the intelligence community largely has no visibility into private sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the US government to observe their activities,”
The SolarWinds incident highlights the threat well-orchestrated supply chain attacks can pose. The SolarWinds incident is rare in terms of its sheer scale and impact but certainly highlights the issues the technology sector’s supply chain is currently facing. Digging a little deeper, it is not just the supply chain that may be flawed but the software development process as a whole. The UK's National Cyber Security Center (NCSC) has issued a warning regarding this issue. It is felt that often security is ignored in the development process, despite those parties involved being well-educated as to the topic. The NCSC advises that companies adopt a continuous integration and continuous delivery (CI/CD) software development cycle. CI/CD has become a popular development framework for several reasons but in terms of security, it allows for continuous security checks before and throughout the rollout of the software.
To further improve security, it has been advised that the software’s development pipeline is also secured and that versions of the software are separated from one another to prevent multiple versions being compromised simultaneously if a disaster were to strike. Further software development teams are advised to adopt multi-factor authentication, designing system access with the principle of least privilege, make use of in-transit encryption, and using network security and monitoring for attacks. Lastly, the NCSC provides advice on how to select virtual machines for development work, stating,
“Performing each build in a single-use virtual machine will make it very hard for one build to attack another using shared hardware (like the CPU), whereas two builds sharing an OS kernel will have many more ways to interfere with each other. If a build can access stored information on other builds (such as their source code or build artefacts), then it may be able to steal secrets or modify those builds.”