Inside the Hack
The origin of the hacks of FireEye and multiple US government departments (including the Departments of the Treasury, Commerce, and Homeland Security) has been traced back to malicious software updates distributed by the cybersecurity vendor SolarWinds. SolarWinds is believed to have been breached by cyber threat actors associated with Russia.
The attackers compromised the SolarWinds network and gained access to private keys that enabled them to create digitally signed, malicious software updates to SolarWinds’ Orion network monitoring product. The malicious updates provided the attackers with initial access to the networks of SolarWinds customers. From this starting point, the attackers were able to expand their access and gain elevated privileges.
This attack campaign has already been discovered to have caused a breach of FireEye’s red team tools and allowed the cyberattackers to monitor email communications within the Departments of Commerce and the Treasury. However, SolarWinds also claims most of the Fortune 500, multiple US government departments and military branches, and major telecommunications and accounting organizations as clients.
While it is not certain that all of SolarWinds’ customers use affected versions of Orion, it is likely that other organizations have been impacted by the breach. The threat was significant enough that DHS issued an emergency directive to government agencies instructing them to physically disconnect all Orion devices from their networks and treat all systems monitored by these devices as compromised.
SolarWinds and the Supply Chain Security Threat
The potential cybersecurity threats of relationships with third party organizations and of supply chains is not a new one. Some of the largest cyberattacks on record, such as the 2013 Target breach, involved exploitation of a trusted partner with access to the target network.
The SolarWinds hack and the resulting attack campaign simply serves to underscore the importance of having a strategy and solutions in place to manage third-party risk. Tools like Orion may be vital to an organization’s operations and cybersecurity strategy. However, it is essential that an organization identifies and acknowledges the potential cybersecurity risks associated with these trusted relationships and takes steps to minimize and mitigate them.