By now, you have probably heard plenty about the massively successful hack caused by problems in Solar Winds Orion network monitoring software. Headlines have been hitting on the huge impact of the attack as well as some of the massive efforts undertaken to stop the attack from persisting. The Cybersecurity and Infrastructure Security Agency (CISA) even put out rare emergency directive to federal agencies ordering that they disconnect affected devices and report findings. Fallout from the attack, now dubbed Sunburst, has continued for days, with impacts ranging from US nuclear security to major software vendors, even a leading cybersecurity company was caught up in the attack. Weeks later, the attack has seen organizations such as Microsoft disclose that they suffered additional breaches thanks to the attack. As the fallout from this massive attack continues to unfold, we must ask ourselves, are we doing enough to stop cyber threats?
Cozy Bear, the latest Advanced Persistent Threat
At the time of this writing, CISA indicates that the attacker, also referred to as the threat actor, behind this massive hack is believed to be an Advanced Persistent Threat (APT) group called APT29 or “Cozy Bear”. Cozy Bear, a Russian government-sponsored hacking team was also implicated earlier this year by intelligence officials from the US, UK, and Canada for targeting COVID-19 vaccine research and development. Cozy Bear is one of growing number of state-sponsored APT groups causing havoc on digital infrastructure. Russia joins others such as China, Iran, and North Korea in operating offensive cyber teams that target government organizations and private businesses alike in order to advance the objectives of their sponsoring nation. US and allied intelligence agencies as well as professional cybersecurity researchers track the activities of APT groups over time by analyzing digital forensic footprints left by the attackers and gathering other information from the dark web and traditional spying. Digital footprints of these APT groups are refined over time as their methods and motives are analyzed. In the past, the US has even been able to identify individual people associated with these APT groups, one of the more notable cases being the indictment of two Iranian hackers in the ransomware attack that affected Atlanta in March of 2018.
The name says it all. Advanced Persistent Threats are known for their advanced tactics, utilizing nearly silent running to gain access, and their persistence within the systems they target, continuing to maintain access within breached networks for months, even years before being eradicated. In the Sunburst attack, many experts are suggesting that affected organizations must “burn down” their IT infrastructure, as in completely dismantle their networks and rebuild from scratch, in order to completely eliminate the chance of Cozy Bear having access to their networks. This is in large part due to the way Cozy Bear managed to breach the Solar Winds Orion product itself, hijacking and embedding malware into legitimate patches put out by Solar Winds several months earlier.
Supply Chain Attacks
Sunburst is known as a supply chain attack. Supply chain attacks are a type of cyber attack where threat actors leverage less-secure third-party vendors within the supply chain to breach the intended target. Although this type of attack is exceedingly rare, the Sunburst attack perpetrated by Cozy Bear demonstrates the devastating consequences when a trusted vendor is breached.
Solar Winds Orion is a network monitoring tool, widely used by large organizations to optimize network design and monitor key devices. For customers to utilize Orion for it’s intended purpose, they must give the platform a great deal of access to their network and key systems. Orion is given access to network traffic in order to provide the customer with insights into what’s going on over their network as well as using software agents installed on servers and other devices to providing system and service health monitoring. Cozy Bear hackers were able to gain access into Solar Winds, the developer of the Orion software and embedded malware into the code developed at Solar Winds before it was pushed out to customers. By doing this, the hackers turned Solar Winds into the distributor of their malware product. Cozy Bear leveraged the trust customers had put into their vendor, Solar Winds, to get backdoors installed into thousands of networks over the course of months, with the first affected patches going out in March of 2020.
Cyber hygiene and supply chain attacks
Too often, when cyber-attacks make the news, the affected organizations ultimately get the blame for not following good cyber hygiene in some way. Often the victims will have unpatched systems or will have not implemented other security controls and the attacker will leverage some weakness within the victim organization’s cybersecurity program. However, this supply chain attack is especially problematic because customers who were breached did not necessarily do anything wrong in terms of good cyber hygiene.
Solar Winds is a leading vendor of network monitoring products, not some fly-by-night company. Their reputation was very good leading up the attack and they themselves state that they follow acceptable cybersecurity standards, standards good enough that they were a preferred vendor of several US government agencies. So, in terms of doing vendor due-diligence, Solar Winds would have passed with flying colors!
Also, good cyber hygiene requires developing a patch policy that includes applying updates from vendors regularly to keep their software up to date and secure. So, organizations that applied patches for their Orion implementation within the past 9 months or so, ended up getting the Cozy Bear malware as well!
Is cyber hygiene going to change?
First off, it is important to note that supply chain attacks like Sunburst are rare. The vast majority of cyber attacks against both public and private organizations still come directly to the target organization through more common means that leverage weaknesses and gaps in common cyber hygiene. It is also important to realize that the very nature of how the Solar Winds Orion product works would have made it nearly impossible to neutralize the effects of this type of attack before it was detected. Finally, combating the ever-changing tactics of APT actors is incredibly difficult. Even with massive resources, governments, large companies, and intelligence organizations are still playing a cat and mouse game with the APT threat actors every single day and sometimes, like in this case, they come up short.
With that said, organizations of all size must identify and address the risk posed by supply chain attacks. Now more than ever, it is important for organizations to take inventory of systems, tools, and data and begin examining this inventory in terms of the risk it poses to the organization. It is especially important to examine our IT management tools, that although provide benefits to managing infrastructure more efficiently, also present attackers with the keys to the kingdom when compromised.
We must also demand more of our vendors and indeed some are heeding the call. Undoubtedly this incident will be analyzed thoroughly, and any shortcomings of Solar Winds will be brought to light and addressed, just as they are any time a breach of this magnitude is discovered. However, simply demanding that vendors meet arbitrary cybersecurity audit standards doesn’t appear to be slowing the rising tide of threat actors. Something must be done to measure real cybersecurity maturity within an organization. For that we must look to the folks writing the standards and assessing these vendors to look beyond the audit checkmark. Cybersecurity maturity and hygiene must be examined holistically, in context with risk and the culture within the organization if we have any chance at stopping these threats in the future.
Andrew “AJ” Jarrett is the Cyber Enterprise Program Manager at The TEEX Cyber Readiness Center where he regularly assists public and private organizations with developing cybersecurity programs. If you are interested in having your organization’s cybersecurity hygiene and risk evaluated holistically, click here to get in touch.