It has been quite a week for the IT industry. Like another 2020 inside 2020. Everyone has been talking about the SolarWinds supply chain attack this week. Many of us have used the phrase “supply chain attack” more this week than evern before in our lives.
The hackers were able to insert their own code in to updates for SolarWinds’ Orion product line, specifically, versions 2019.4 hotfix 5 through 2020.5 hotfix 1. The initial infected packages were released in March 2020. The hack was discovered by cybersecurity company FireEye while investigating their own compromise.
Overshadowed by SolarWinds, FireEye’s attack includes the theft of the company’s “Red Team Tools.” In the cybersecurity industry “Red Team” refers to cybersecurity professionals who act as malicious hackers for the purpose of penetration testing. This is like the Joker getting access to Batman’s weapons.
As of today, the list of high-profile victims includes Microsoft and the United States Government. The list is sure to continue growing. It will take years for the dust to settle.
This attack dates back to earlier than March 2020 when the hacker group gained access to SolarWinds. The group was able to bypass software signing security measures to make the SolarWinds updates appear to be legitimate. Afterward, they waited for SolarWinds to distribute the malicious software for them.
Once on the victim networks, they carried out attacks against the victim networks.
As of today, Microsoft has worked with GoDaddy and FireEye to flip a virtual killswitch on the malware. They did this by sinkholing the domain used by the hacker group, revoking the certificates used to sign the malware and updating Windows Defender to quarantine compromised versions.
This should stop the spread of this attack. However, the attackers now have a foothold in thousands of systems. They will remain unless ousted. There are a couple of key takeaways from this story.
First and most damaging, this attack has killed the “blind trust” the industry has in software companies to distribute software. It has now been proven that because a software package is signed by a code signing certificate, it could still be compromised.
Second, the attackers demonstrated a lot of patience. They were on the SolarWinds network for weeks, even months. Once deployed to other victim networks, they did not attack for an average of 12 to 15 days. It is shown the attackers analyzed victim networks and systems to determine what countermeasures were in place.