The Sunburst supply chain attack explained

The Sunburst supply chain attack

What is a supply chain attack?

The “supply chain” refers to the ecosystem around a service provider or product supplier and their commercial partners. An attack is known as a “supply chain” attack when parts of software that make up this ecosystem are compromised. Hackers strike their target when users download software into which they have introduced malware (malicious software).

The attack can subsequently automatically infiltrate other targets within the same supply chain. Supply chain attacks are long and complex, and they tend to be developed by experienced cyber criminals with extensive resources.

‍

The Sunburst case is a perfect example of a supply chain attack, since SolarWinds is the software provider responsible for the compromised Orion software suite (software-based technical solutions that businesses use to manage their IT infrastructures). Companies and organisations who downloaded malware-infested versions of Orion thereby fell victim to the hack through this third-party software that is part of a wider supply chain.

What is the Sunburst malware?

On December 8th, 2020, cybersecurity specialists FireEye released a statement announcing that they had fallen victim to an attack on part of their intrusion testing tools (Red Team tool set). They gave this malware the name Sunburst. The company stated that highly qualified cybercriminals were at the root of this attack, and that they were most likely sponsored by a nation state.

Many hypotheses pointed towards highly organized groups being responsible, with access to considerable resources and most likely supported by Russia. To carry out the sustained, large-scale attack, Microsoft CEO Brad Smith estimated that 1,000 engineers would have been required, compared with Microsoft’s 500 engineers that were roped in to deal with the resulting fall out.

What motivated the Sunburst attack?

The likely motive for the attack was that a nation state was looking to extract confidential economic, financial or defence data (or data about vitally important services). Several ministries were targetted and saw their emails and data extracted. Some experts and commentators qualified the event as a case of cyber espionage rather than a cyberattack, as compromised data and IT systems were neither damaged nor interrupted and no physical damage to electric networks or communication infrastructures was reported.

Establishing a link between the fraudulent collection of data or login details and the real, tangible damage it can cause is challenging and time-consuming, as demonstrated by China’s attack on Equifax, or NotPetya in 2017, since the nation state sponsor’s anticipated gains are long-term and strategic. On the contrary, when attacks are motivated purely by financial gain, the link between an attack and its result can be established more quickly, as in the recent Colonial Pipeline attack.

‍

Victims of Sunburst

Who was affected by the Sunburst attack?

Microsoft is one of the tech companies to fall victim, but they declare that, to their knowledge, no data was compromised. Nevertheless, Microsoft CEO BradSmith qualified Sunburst (otherwise known as Solori gate backdoor malware, in Microsoft circles) as “the most important and sophisticated cyberattack the world has ever seen” (source) in an interview for CBS.

More than 33,000 companies and many public bodies use Orion products, which turned over 343 million dollars in 2020 (before the attack), representing 45% of the company’s revenue (Form 8-K fromSolarWinds - Dec 14, 2020 SWI – SEC filings). SolarWinds says that it alerted all of its 33,000 business clients but estimates that around 18,000 businesses downloaded one of the compromised versions.

We also know that nine American ministries were targeted – the Department of the Treasury, the CISA (Cybersecurity andInfrastructure Agency), the Department of Homeland Security, the StateDepartment, and the Department of Energy. Since, the deputy director of theCISA, Anne Neuberger, has stated that the number of non-government bodies that fell victim to the attack was limited to around 100.

How was the Sunburst attack carried out?

From the first days of its enquiry, FireEye (a cyberattack detection company) discovered that Orion, software developer SolarWinds’ IT network management and monitoring tool, had been the target of a cyberattack. On December 12th, FireEye alerted SolarWinds that its Orion software had been compromised by the injection of malicious code into its legitimate updates.

This backdoor then allowed the criminals to clone or create new access permissions in order to illicitly penetrate company IT systems.

The investigations led by SolarWinds with the help of the FBI, the CISA, and cybersecurity experts Mandiant, FireEye, and KPMG (among others) have since shined a light on a sequence of extremely sophisticated actions carried out over more than a year in order to go undetected for as long as possible. SolarWinds therefore states in its recent updates that the cybercriminals were probably already working on their code in early 2019, in preparation for carrying out this unprecedented attack.

How exactly was the Sunburst attack carried out?

In September 2019, the first signs of suspicious activity were detected in SolarWinds’ internal systems. A previous version of Orion seemed to have been modified in order to test the insertion of malware. On February 20, 2020, Sunburst was injected into Orion’s updates via aDLL (dynamic link library).

From March 2020, the software was infected and a “backdoor” was introduced in order to transform the software into a Trojan horse. The state-sponsored hackers could therefore access servers and obtain access rights, allowing them to steal valid certificates or create new ones. Then, they could access cloud resources and extract data, emails, and more from the businesses that had downloaded infected versions of Orion.

The attack creators managed to delete the Sunburst malware from the SolarWinds environment in June 2020 without being detected.

It was only on December 12th that SolarWinds was informed of the cyberattack by FireEye and a protocol was put in place to inform and protect clients, and to begin investigations into the attack. From that point on, SolarWinds has been investigating in order to analyse and correct vulnerabilities in its Orion product.

Sequence of actions between early 2019 and when a compromise was announced by FireEye in December 2020.

What were the consequences of the Sunburst attack?

In the case of Sunburst, it is still difficult to fully understand the consequences for the businesses that were compromised, exactly how they were compromised, and how deep the compromise went. We may never know what data was consulted, extracted, or used.

Nevertheless, we can begin to estimate certain substantial direct costs linked to the investigation and measures taken in response – internal expenditure as well as outside skills required to lead searches into vulnerabilities and analyse compromises. We can also calculate the projects undertaken to remedy the problems and “plug the gaps” to further secure IT systems.

For example, Microsoft speaks of mobilizing 500 engineers to analyze and respond to the attack, while SolarWinds reports having spent nearly 19 million dollars on incident management and other remedial action. We can easily imagine that the 100 or so non-governmental organizations that the CISA mentions all committed substantial resources to responding to these compromises and reinforcing their checks.

External audits and even increased insurance premiums are other examples of costs that can skyrocket following a cyberattack (for example, the recent news of Log4J’s software vulnerability).

Damage to reputation and lost revenue can also represent a cost. Although these effects are very damaging, they are notoriously tricky (if not impossible) to quantify, especially for government agencies and other public organizations because, by definition, they do not turn over a revenue or hold company value.

Companies that make a revenue and those that are listed on the stock exchange, though, do feel the effects. For example, SolarWinds’ stock price lost 20% of its value in the days following the attack and 40% by the end of the week.

Despite this, 12 months later, taking into account the sale of its MSP activity (which is now listed on the stock market independently as N-Able), the company’s value is higher than it was in early December 2020. Reported turnover for the half year following the incident continued to rise, too, although some observers consider that it could have grown more quickly.

Other companies specializing in cybersecurity such as FireEye and Microsoft have also seen their value, revenue, and profit increase despite falling victim to Sunburst and other large-scale hacks.

How can you protect yourself against a supply chain attack like Sunburst?

The aim of risk management is to maintain probable losses from future attacks at an acceptable level for businesses, and to help identify actions and checks to put in place that can either reduce the number of attacks experienced and/or their financial impact.

What steps can you take to avoid this type of cyberattack?

IT environments need to be secured in order to avoid attacks or reduce their frequency. There are some basic best practices to implement, such as immediate application of patches for zero-day vulnerabilities – in other words, as soon as a patch is available for update, it should be applied immediately.

But even with the best will in the world, best practices will never work alone. When an attack is as widespread and sophisticated as Sunburst, even businesses and government organizations reputed for their world-beating security and investments in the security field are evidently fallible and cannot always avoid being compromised.

It therefore seems unrealistic for companies with limited resources to protect themselves at all costs against this type of attack. However, we know that the Sunburst attack was a case of cyber espionage, which dictated the choice of victims. Organizations that are not ministries or multinational IT firms would doubtless not have been targetted.

‍

How to reduce the impact of this type of cyberattack

It is evident that security alone is not enough; we must develop companies’ resilience and ability to ride out an attack and recover from it as quickly as possible with the least lasting damage. Above anything else, it is therefore essential to prepare for potential cyberattacks.

Organizations should have prepared responses for containing the effects of an attack, and actions that lead to a timely recovery:

-      Detect intrusions and unauthorized activity quickly in order to reduce the duration of damage

-      Limit the spread of malware by segmenting networks or regularly updating systems and software

-      Train dedicated teams to respond to and manage incidents, as well as internal and external legal teams

-      Create a crisis management and communication plan

-      Reach out to technical experts and consultants for investigations

To help you reduce the impact of this type of cyberattack, and help you get back on your feet after a cyberattack, here are a few articles that should interest you.

-      IT DRP: how to plan recovery from a cyber crisis

-      Business continuity plan: planning and preparing for a cyberattack

-      Crisis management: how to effectively manage a cyber crisis