The SolarWinds supply chain attack known as Sunburst impacted hundreds of businesses and remains one of the most sophisticated and widespread cyberattacks to date.
A couple of years ago, cybersecurity firm FireEye uncovered a "global intrusion campaign" that leveraged SolarWinds supply chain. It is a particularly sophisticated piece of malware that managed to circumvent detection for a very long time. Let's take a look back at this event and examine the impact of the supply chain attack now known as Sunburst.
The “supply chain” refers to the ecosystem around a service provider or product supplier and their commercial partners. An attack is known as a supply chain attack when parts of software that make up this ecosystem are compromised. The threat actors strike their target when users download software with malware.
The attacker can then automatically infiltrate other targets within the same supply chain. Supply chain attacks are long and complex, and they tend to be developed by experienced cybercriminals with extensive resources.
The Sunburst case is a perfect example of a supply chain attack. SolarWinds is the software solution provider responsible for the compromised Orion software suite (software-based technical solutions that businesses use to manage their IT infrastructures). Companies and organisations that downloaded malware-infested versions of Orion thereby fell victim to the attack through this third-party software that is part of a wider supply chain.
On December 8, 2020, cybersecurity specialists FireEye released a statement announcing that they had fallen victim to an attack on part of their intrusion testing tools (Red Team tool set). They gave this malware the name Sunburst. The company stated that highly qualified cybercriminals were at the root of this attack, and that they were most likely sponsored by a nation-state.
Many hypotheses pointed towards highly organised groups being responsible, with access to considerable resources and most likely supported by Russia. To carry out the sustained, large-scale attack, Microsoft CEO Brad Smith estimated that 1,000 engineers would have been required, compared with Microsoft’s 500 engineers that were roped in to deal with the resulting fall out.
The likely motive for the attack was that a nation-state was looking to extract confidential economic, financial or defence data (or data about vitally important services). Several ministries were targeted and saw their emails and data extracted. Some experts and commentators have qualified the event as a case of cyber espionage rather than a cyberattack, as compromised data and IT systems were neither damaged nor interrupted and no physical damage to electric networks or communication infrastructures was reported.
Establishing a link between the fraudulent collection of data or login details and the real, tangible damage it can cause is challenging and time-consuming, as demonstrated by China’s attack on Equifax, or NotPetya in 2017, since the nation-state sponsor’s anticipated gains are long-term and strategic. On the contrary, when attacks are motivated purely by financial gain, the link between an attack and its result can be established more quickly, as in the recent Colonial Pipeline attack.
Microsoft is one of the tech companies to fall victim, but they declare that, to their knowledge, no data was compromised. Nevertheless, Microsoft CEO Brad Smith qualified Sunburst (otherwise known as Solorigate backdoor malware, in Microsoft circles) as “the most important and sophisticated cyberattack the world has ever seen” (source) in an interview for CBS.
More than 33,000 companies and many public bodies use Orion products, which turned over 343 million dollars in 2020 (before the attack), representing 45% of the company’s revenue (Form 8-K from SolarWinds - Dec 14, 2020 SWI – SEC filings). SolarWinds says that it alerted all of its 33,000 business clients but estimates that around 18,000 businesses downloaded one of the compromised versions.
We also know that nine American ministries were targeted – the Department of the Treasury, the CISA (Cybersecurity and Infrastructure Agency), the Department of Homeland Security, the State Department, and the Department of Energy. Since, the deputy director of the CISA, Anne Neuberger, has stated that the number of non-government bodies that fell victim to the attack was limited to around 100.
From the first days of its enquiry, FireEye (a cyberattack detection company) discovered that Orion, software developer SolarWinds’ IT network management and monitoring tool, had been the target of a cyberattack. On December 12th, FireEye alerted SolarWinds that its Orion software had been compromised by the injection of malicious code into its legitimate updates.
This backdoor then allowed the criminals to clone or create new access permissions in order to illicitly penetrate company IT systems.
The investigations led by SolarWinds with the help of the FBI, the CISA, and cybersecurity experts Mandiant, FireEye, and KPMG (among others) have since shined a light on a sequence of extremely sophisticated actions carried out over more than a year in order to go undetected for as long as possible. SolarWinds therefore states in its recent updates that the cybercriminals were probably already working on their code in early 2019, in preparation for carrying out this unprecedented attack.
How exactly was the Sunburst attack carried out?
In September 2019, the first signs of suspicious activity were detected in SolarWinds’ internal systems. A previous version of Orion seemed to have been modified in order to test the insertion of malware. On February 20, 2020, SUNBURST was injected into Orion’s updates via a DLL (dynamic link library).
From March 2020, the software was infected and a “backdoor” was introduced in order to transform the software into a Trojan horse. The state-sponsored hackers could therefore access servers and obtain access rights, allowing them to steal valid certificates or create new ones. Then, they could access cloud resources and extract data, emails, and more from the businesses that had downloaded infected versions of Orion.
The attack creators managed to delete the Sunburst malware from the SolarWinds environment in June 2020 without being detected.
It was only on December 12th that SolarWinds was informed of the cyberattack by FireEye and a protocol was put in place to inform and protect clients, and to begin investigations into the attack. From that point on, SolarWinds has been investigating in order to analyse and correct vulnerabilities in its Orion product.
Sequence of actions between early 2019 and when a compromise was announced by FireEye in December 2020.
In the case of Sunburst, it is still difficult to fully understand the consequences for the businesses that were compromised, exactly how they were compromised, and how deep the compromise went. We may never know what data was consulted, extracted, or used.
Nevertheless, we can begin to estimate certain substantial direct costs linked to the investigation and measures taken in response – internal expenditure as well as outside skills required to lead searches into vulnerabilities and analyse compromises. We can also calculate the projects undertaken to remedy the problems and “plug the gaps” to further secure IT systems.
For example, Microsoft speaks of mobilising 500 engineers to analyse and respond to the attack, while SolarWinds reports having spent nearly 19 million dollars on incident management and other remedial action. We can easily imagine that the 100 or so non-governmental organisations that the CISA mentions all committed substantial resources to responding to these compromises and reinforcing their checks.
External audits and even increased insurance premiums are other examples of costs that can skyrocket following a cyberattack (for example, the recent news of Log4J’s software vulnerability).
Damage to reputation and lost revenue can also represent a cost. Although these effects are very damaging, they are notoriously tricky (if not impossible) to quantify, especially for government agencies and other public organisations because, by definition, they do not turn over a revenue or hold company value.
Companies that make a revenue and those that are listed on the stock exchange, though, do feel the effects. For example, SolarWinds’ stock price lost 20% of its value in the days following the attack and 40% by the end of the week.
Despite this, 12 months later, taking into account the sale of its MSP activity (which is now listed on the stock market independently as N-Able), the company’s value is higher than it was in early December 2020. Reported turnover for the half year following the incident continued to rise, too, although some observers consider that it could have grown more quickly.
Other companies specialising in cybersecurity such as FireEye and Microsoft have also seen their value, revenue, and profit increase despite falling victim to Sunburst and other large-scale hacks.
The aim of risk management is to maintain probable losses from future attacks at an acceptable level for businesses, and to help identify actions and checks to put in place that can either reduce the number of attacks experienced and/or their financial impact.
IT environments need to be secured in order to avoid attacks or reduce their frequency. There are some basic best practices to implement, such as immediate application of patches for zero-day vulnerabilities – in other words, as soon as a patch is available for update, it should be applied immediately.
But even with the best will in the world, best practices will never work alone. When an attack is as widespread and sophisticated as Sunburst, even businesses and government organisations reputed for their world-beating security and investments in the security field are evidently fallible and can not always avoid being compromised.
It therefore seems unrealistic for companies with limited resources to protect themselves at all costs against this type of attack. However, we know that the Sunburst attack was a case of cyber espionage, which dictated the choice of victims. Organisations that are not ministries or multinational IT firms would doubtless not have been targetted.
It is evident that security alone is not enough; we must develop companies’ resilience and ability to ride out an attack and recover from it as quickly as possible with the least lasting damage. Above anything else, it is therefore essential to prepare for potential cyberattacks.
Organisations should have prepared responses for containing the effects of an attack, and actions that lead to a timely recovery:
To help you reduce the impact of this type of cyberattack, and help you get back on your feet after a cyberattack, here are a few articles that should interest you.
A supply chain attack involves installing malware through a third-party supplier. Hackers can then attack their target once the virus has been downloaded. Sunburst is the name given by cybersecurity firm FireEye to describe the attack they suffered.
The supply chain attack Sunburst aimed to collect confidential economic, financial, and defence data. It had all the hallmarks of cyber espionage, rather than a simple cyberattack.
To avoid or reduce the frequency of attacks, you should secure your IT environment. You should also develop your organisation’s ability to recover as fast as possible.
related to cybersecurity and Cyber Risk Quantification (CRQ)