Unless you live under a rock, you probably hear about major security breaches occurring throughout the year. These incidents involve various groups of malicious hackers from different walks of life each with their own motivation. Some of these groups might be hacktivists who are trying to support a cause they feel compelled towards while others might be cyber criminals looking for financial gain. The most dangerous group, without any doubt, are “nation-state” hacking groups. What makes these groups so dangerous is the funding they receive, the level of talent they attract and the immunity their host nation provides since these activities are carried out by these countries.
A Brief TIMELINE of the Attack
What could be argued as possibly the largest data breach to have ever occurred to date was discovered at the end of the year in 2020 by cybersecurity firm FireEye. The firm discovered its red team toolkit (which contained some proprietary tools used developed and used exclusively by the FireEye) were stolen and promptly started an investigation. During the investigation, FireEye had noticed that the hackers entered into the network using a backdoor that was installed on the Orion software. FireEye immediately notified the software developer SolarWinds who began looking into the security flaw. Their worst nightmare was confirmed when they realized that this security vulnerability had been intentionally installed by hackers who made it into their network. With the malicious code containing the backdoor installed, the patch was pushed during the next scheduled update and all machines installing the patch immediately became vulnerable to the hackers.
An investigation revealed that the SolarWinds had been compromised as far back as September of 2019. The hackers then compose the malicious code, use techniques to obfuscate the traffic so that it appears legitimate, inject the code into the update and finally the update is compiled and pushed in February of 2020. Once the update is pushed, the target machines need only update to the latest version. The hackers were then able to exploit the backdoor they had just installed to thousand upon thousands of unsuspecting SolarWinds clients.
The hackers conducted what is known as a “supply chain attack” in which their intended target was indirectly made vulnerable by attacking a weaker vendor that is trusted and used by the target. SolarWinds is a massive software vendor that is trusted and used by tens of thousands of customers but the worst has to include US Federal Government Agencies that SolarWinds maintained contracts with. Some of the affected organizations include but are not limited to the following:
- State Governments including Texas, Ohio, California and Arizona
- US Department of Defense
- US Department of State
- US Federal Reserve
- US Department of Homeland Security
- US Department of Justice
- The National Security Agency
The Worlds Largest Compromise
I want to take a moment to explain why this is, without any doubt, the world’s largest hack. The scale of the attack is still being calculated. With how much data the hackers had access to and how many organizations were affected, it may be years before we can completely understand the extent of the entire compromise.
Once the public was notified, IT and security teams scrambled to identify if their network had been affected by the hackers. The vulnerability had been coined “SUNBURST” by the FireEye team and tools had started to release to determine if a network was vulnerable or not (though this did not necessarily dictate whether any actual breach took place).
Who is the Hacker?
While it has not yet been determined with absolute certainty who the hacker group responsible for the attack was, the US Government has narrowed it down to one of the Russian state sponsored Advance Persistent Threat (APT) groups such as Cozy Bear (APT 29), Berserk Bear, or any number of unknown groups ran by the Russian Federal Security Service (FSS) or Foreign Intelligence Service (FSB).
SolarWinds reported that only 10% of its (300,000) client base use the Orion software and of that number, 33,000 estimate, only about half (18,000) actually downloaded and installed the update patch which included the malware. This creates an interesting scenario in which the clients that did not follow the standard industry practice and install the latest software patches, were actually the ones unaffected. By the way, you should ALWAYS have the latest software downloaded since this scenario is a complete anomaly among others.
Why Have I Not Heard About This?
Chances are you may not have heard about this breach if you are not working in an affected industry, or if you have, the information might be scare. The reason is that the personal level to which this affects the average American Citizen is small. At scale though, this data breach is by far the largest we have ever encountered to date. In case you missed it, the Russian Government had access to US Federal Government networks for roughly 6 months before anyone even knew about it. Some of these networks may have contained secret and classified information. We will never know the true depth of the attack at the Federal level anytime soon as the US Government continues to investigate and take measures to ensure this does not happen again. The important thing moving forward to take steps to ensure that this does not happen again. 2021 has already been a year of major cyber attacks to include the Colonial Pipeline Ransomware Attack, Oldsmar Water Plant attack in Florida, and the Microsoft Exchange Servers.