Thanks to the craziness of the past year, one of the biggest stories of 2020 may have gone under your radar. In one of the worst cybersecurity breaches in American history, hackers penetrated the networks of up to 250 government agencies and businesses. The intruders, believed to be the Russian foreign intelligence agency SVR, were inside and undetected for at least nine months. While it appears that the hack was cyberespionage rather than a cyberattack (there does not seem to be any intent to destroy/manipulate data or cause physical damage), the fact that the Russians were able to get this kind of access should serve as a serious wake-up call.
The hackers used what is known as a supply-chain attack, meaning they entered the networks by compromising a less-secure supplier. In this case, the supplier was a Texas-based company called SolarWinds. First founded in Oklahoma in 1999, SolarWinds moved its headquarters to Austin in 2006, where it grew rapidly. In spite of the name, the company has nothing to do with solar or wind power. SolarWinds provides software that allows organizations to manage and monitor their IT, a market that the company absolutely dominates.
It was through SolarWinds’ management software product Orion that the Russians were able to gain access to numerous businesses and the federal government. A covert backdoor was inserted into Orion software updates that went out to nearly 18,000 customers. By entering through Orion, the hackers were able to avoid US government security systems designed to detect intrusions.
How did the Russians hack SolarWinds in the first place? While investigators are still trying to figure that out, it appears that SolarWinds’ cybersecurity was severely lacking. Experts had warned of SolarWinds lax security practices for years. The company did not have a chief information security officer or senior cybersecurity director. Employee passwords were leaking on GitHub and at one point the password for its update server was “solarwinds123”. Much of SolarWinds’ engineering had been moved to satellite offices in the Czech Republic, Belarus, and Poland, countries where Russian intelligence agencies are very active. In fairness, it’s unclear whether SolarWinds would have been able to resist an adversary as persistent and sophisticated as the SVR even if it had much better cybersecurity.
Needless to say, it’s been a very rough month for SolarWinds. On Tuesday, it was reported that SolarWinds software had been exploited in a separate hack, this time by suspected Chinese operatives. SolarWinds has also come under allegations of insider trading, with top investors having traded hundreds of millions of dollars in stock prior to the hack being publicly revealed. A class-action lawsuit has been filed accusing the company of making false and misleading statements about its security posture.
What needs to be done to prevent these kinds of hacks from happening in the future? Unfortunately, there don’t seem to be any easy answers. “It’s hard to know how to move forward after a breach like this. There’s not one single technical or policy decision that will solve the problem of software supply chain security,” said Ben Buchanan, a Georgetown University professor and the author of The Hacker and the State, in an interview with the Signal. “But the biggest thing is that this is a reminder of how vulnerable our computer networks are, in large part due to the vast challenges of managing trust. Given that vulnerability, large organizations should assume that at times their perimeter defenses will fail, and should judge themselves by their capacity to rapidly detect intrusions when they occur — because they certainly will.”
Photo: Colin/Wikimedia Commons