The Sunburst supply chain attack explained
A couple of years ago, cybersecurity firm Fire Eye fell victim to a supply chain attack, a particularly sophisticated piece of malware whose creators – and what drove them to carry out the attack – remain unknown to this day. Let us take a look back at this event and examine the causes and the impact of the supply chain attack now known as Sunburst (named malware as well).
The Sunburst supply chain attack
What is a supply chain attack?
The “supply chain” refers to the ecosystem around a service provider or product supplier and their commercial partners. An attack is known as a “supply chain” attack when parts of software that make up this ecosystem are compromised. Hackers strike their target when users download software into which they have introduced malware (malicious software).
The attack can subsequently automatically infiltrate other targets within the same supply chain. Supply chain attacks are long and complex, and they tend to be developed by experienced cyber criminals with extensive resources.
The Sunburst case is a perfect example of a supply chain attack, since SolarWinds is the software provider responsible for the compromised Orion software suite (software-based technical solutions that businesses use to manage their IT infrastructures). Companies and organizations who downloaded malware-infested versions of Orion thereby fell victim to the hack through this third-party software that is part of a wider supply chain.
What is the Sunburst malware?
On December 8th, 2020, cybersecurity specialists FireEye released a statement announcing that they had fallen victim to an attack on part of their intrusion testing tools (Red Team tool set). They gave this malware the name Sunburst. The company stated that highly qualified cybercriminals were at the root of this attack, and that they were most likely sponsored by a nation state.
Many hypotheses pointed towards highly organized groups being responsible, with access to considerable resources and most likely supported by Russia. To carry out the sustained, large-scale attack, Microsoft CEO Brad Smith estimated that 1,000 engineers would have been required, compared with Microsoft’s 500 engineers that were roped in to deal with the resulting fall out.
What motivated the Sunburst attack?
The likely motive for the attack was that a nation state was looking to extract confidential economic, financial or defence data (or data about vitally important services). Several ministries were targeted and saw their emails and data extracted. Some experts and commentators qualified the event as a case of cyber espionage rather than a cyberattack, as compromised data and IT systems were neither damaged nor interrupted and no physical damage to electric networks or communication infrastructures was reported.
Establishing a link between the fraudulent collection of data or login details and the real, tangible damage it can cause is challenging and time-consuming, as demonstrated by China’s attack on Equifax, or NotPetya in 2017, since the nation state sponsor’s anticipated gains are long-term and strategic. On the contrary, when attacks are motivated purely by financial gain, the link between an attack and its result can be established more quickly, as in the recent Colonial Pipeline attack.
What is the supply chain attack Sunburst?
A supply chain attack involves installing malware through a third-party supplier. Hackers can then attack their target once the virus has been downloaded. Sunburst is the name given by cybersecurity firm FireEye to describe the attack they suffered.
What was the motive behind the Sunburst attack?
The supply chain attack Sunburst aimed to collect confidential economic, financial, and defence data. It had all the hallmarks of cyber espionage, rather than a simple cyberattack.
The Sunburst supply chain attack explained
To avoid or reduce the frequency of attacks, you should secure your IT environment. You should also develop your organization’s ability to recover as fast as possible.