SolarWinds and SUNBURST: The Technical Risks of State-Sponsored Terrorism

solarwinds hack bug

The news cycle for anyone connected with cybersecurity has been dominated by information regarding the SolarWinds hack. This breach, starting with a single cloud and security provider, has now become a national emergency as more and more private institutions have become infected with potentially dangerous results.

As this situation unfolds, we wanted to touch base and provide background into the underlying methods and strategies used by the hackers. Following that, you can see how the attacks took place not just because of vulnerabilities in a system, but through an interconnected network of systems made vulnerable by one vendor. Finally, we provide some basic concepts to consider for your company’s security moving forward. 

solarwinds hack bug

What is SUNBURST and How Does it Related to the SolarWinds Hack?

Many news outlets are discussing SolarWinds and the Orion infrastructure management software. Hundreds of thousands of organizations used SolarWinds technology to manage their tech systems, and they are quickly finding that their security has been compromised due to the kind of partnerships and software that they had. 

But security specialists are speaking more frankly about SUNBURST. 

What is SUNBURST? SUNBURST is the codename given to the malware at the heart of the SolarWinds hack. 

Perhaps ironically, the first investigative accounts of the SolarWind attack have been through one of its victims. Security firm FireEye was the first to report a security breach in their system, one that would eventually be the first account of the SolarWinds hack. They have continued to provide an accounting of the hack and its inner workings as the fallout continues to unfold. 

According to FireEye, the core attack vector of the attack is a malware backdoor they coded as UNC2454. This malware gained access to the Orion platform and was injected into the Orion software update system as a trojan. Dubbing the malware “SUNBURST”, it has been reported by the mainstream media that it was in fact used as part of a larger attack most likely perpetrated by a Russian hacker group “Cozy Bear” with ties to Russian intelligence operations. 

STARBURST works utilizing stealth and low-key intrusion: 

  1. The malware was inserted into the Orion component SolarWinds.Orion.Core.BusinessLayer.dll, a digitally signed piece of the Orion framework.
  2. With this intrusion, the malware remains dormant for up to two weeks. During this time it can gather data, but it avoids communicating with outside servers or changing files.
  3. After the period of dormancy, SUNBURST begins to receive commands from third-party servers over HTTP, receiving commands to transfer, delete, and execute files, reboot machines, and disable services.
  4. During this time, the malware disguised itself as legitimate Orion protocols and API calls, and uses legitimate Orion tools to block detection.

    Once the malware has started its work, it’s difficult to know the full extent of its operation. As it stands near the end of 2020, the full effects of the malware are as of yet still unknown. Additionally, new attack vectors in Orion components have been discovered.


    The Impact of STARBURST on Businesses and Public Institutions

    The impact of STARBURST is still unfolding. According to key victims like Microsoft (who are conducting their own investigation), there are hundreds of victims, including at least 40 of their own customers. Evidence for the broader attack shows that while less than 100 seemed to be the target of focused attacks, up to 18,000 SolarWinds customers have potentially been infected

    There are a few key takeaways from the evolving situation as it stands:

    1. Private and public utilities companies may not have been as prepared as they could have been. The breach has affected several oil, gas, and electric companies, and the Department of Energy has confirmed that its systems were compromised as well. Some companies in the energy and manufacturing supply chain did not keep rigorous reporting or logging requirements, entrusting that to third-parties like SolarWinds, and it could be hard to trace the full extent of the attack in this area.
    2. Government agencies have also been impacted to an unknown extent. Due to state security, we may never know the full extent of damage to federal agencies. However, we do know that the Treasury Department, the Department of Homeland Security, The State Department, the Department of Commerce, and the Defense Department have all been attacked.
    3. Private businesses, many in finance and technology, have experienced attacks. The biggest name in this list, Microsoft, has openly discussed the impact of SUNBURST and the Orion hack and their countermeasures. Other companies like Nvidia, Visa, Equifax, Cisco, and Intel have all confirmed that they have been affected but have also claimed that private customer information has not been compromised. 

    The major threat here is that, as a probable attack by a foreign actor, many of the tools, data, and secrets contained across these three industries are now in the hands of the attackers. How much so is still unknown. 


    The Strength of Stealth in the SolarWinds Hack

    In an interview with Forbes magazine, a security expert highlights just what is so interesting about this attack and the malware in particular. 

    First, this attack was made through a vendor vulnerability. Rather than staging a direct attack on hundreds of companies, the initial hack was to a single platform. 

    Following that, the attack was patient and sophisticated. While its mode of attack was relatively common as far as malware goes, the fact that the vulnerability was present in a major SaaS, monitoring, and security company is striking. Additionally, the malware didn’t let itself be known. It moved “laterally”, not digging into critical files or systems. Instead, it scanned the system to gather data like authorized credentials and filesystems. 

    What does this mean? The program itself attempted to make itself look as legitimate as possible throughout its operation. It leveraged the infected system to pass itself as a real Orion process and acquired admin access, passwords, and multi-factor authentication across infected systems. 


    Lessons to learn from the SolarWinds Hack

    We are learning, and will continue to learn, critical security lessons from this hack now and well into the future. Some of these lessons include:

    1. Don’t ignore your supply chain. By “supply chain” we aren’t just speaking of your logistics. We’re talking about third-party vendors, cloud providers, anyone providing technology infrastructure. These parties should not only be compliant with standards in your industry, but they should also be able to demonstrate security and soundness. This could be through additional security audits through measures like SOC 2 reporting.
    2. Clean your own house. Do you have best practices in place for your compliance and security requirements? If so, then go above and beyond. Optimize reporting, logging, and security to take account of potential risks. While risk management is a real thing, SolarWinds and the Orion hack suggests that you may want to rethink what risk is acceptable.
    3. Leverage technology for accuracy and effectiveness. If you are using stone-age tools like emails, spreadsheets, and other documents, then you’re not just making compliance and governance harder for yourself. You are impacting your effectiveness and accuracy in terms of reporting and assessment. Make sure that you are using tools to automate audits, log data and alerts, and document your system. And ensure that your third-party vendors are doing the same. 


    Work With a Company That Provides Direct Support – Continuum GRC

    Avoiding issues with security and third parties can be a full-time job in itself, and if you’re not ready to field a full IT team for security, then a security partnership is necessary. 

    Continuum GRC provides proven, automated solutions for compliance across several industries, including all of those affected by the SolarWinds hack. From federal government agency work to healthcare, finance, manufacturing, and more, we can provide critical security support to help you take control of your compliance and risk management. 

    To learn more about how Continuum GRC can help you with HIPAA, FedRAMP, FISMA, NIST, SOC 2, GDPR, and PCI DSS compliance in the wake of the SolarWinds breach, call 1-888-896-6207 to talk more with the experts.

    Continuum GRC