By Ansley Miller
Background
In September of 2019 a Texas-based software company, SolarWinds, was compromised by what was believed to be hackers directed by the Russian Foreign Intelligence Service (SVR). The attack targeted Orion, SolarWinds’ network management system, which monitors various components of a company’s network. The attack was sophisticated, as the cyber attackers (also referred to as threat actors) first conducted a “dry run” phase, which included injecting test code into Orion and monitoring the system to test their infiltration methods. Then, in February 2020, the threat actors discretely accessed SolarWinds’ network and the Orion system, injecting hidden code into a file that was later added to the Orion software update offered to customers. This routine software update was available to all its customers and provided routine updates, such as bug fixes, performance enhancements, and management system upgrades.
It was not until December 2020 that SolarWinds became aware of their compromised system update and the infiltrated code, which had already been distributed to thousands of customers. SolarWinds is widely used amongst federal government departments to monitor systems, therefore allowing this malicious code to gain access to agency information systems. The most pressing concern of this attack was that the threat actors had time to learn and master the inner workings of Orion, potentially allowing them to access sensitive government information and networks.
The Method Behind the Breach
The threat actors used a method known as a “supply chain attack” to insert malicious code into the Orion system. The hidden code allowed the threat actor to create a “backdoor” program that gave them access to any data of a customer that had updated their system as part of the SolarWinds routine software update. Gaining remote access with the injected code was easy; all customers had to do was log onto the SolarWinds software, enter their password and verification information, and start the update. Many unsuspecting individuals, including federal agency employees, were simply going about their workday routines, and proceeding with practices they believed to be routine and harmless.
SolarWinds president and CEO, Sudhakar Ramakrishna, estimated that close to eighteen thousand customers downloaded the code between March and June of 2020 and more than 30,000 public and private organizations’ networks and systems were accessed. The hack had a specific design that depended on customers downloading the compromised update and deploying it on their server, as well as having their network connected to the Internet to allow hackers to access their servers. Once the compromised code was downloaded and deployed, threat actors could infiltrate infected computers and remotely manipulate SolarWinds’ customers’ networks. Ramakrishna stated that he believes the threat actors successfully compromised close to 100 companies, including a dozen federal government agencies. Some of the most notable companies accessed included Microsoft, Intel, and Cisco. Affected federal agencies included the Treasury and Energy departments, as well as the Pentagon.
SEC Takes Legal Action
In response to the SolarWinds attack and leak of private information, the Security and Exchange Commission (SEC) filed charges against the company and its Chief Information Officer (CISO), Timothy G. Brown. The SEC claims that SolarWinds misled investors by not revealing the obvious risks of the hack, as well as not disclosing the faults in the cybersecurity measures before and after the cyber-attack in 2020. The lawsuit alleges that SolarWinds committed fraud by failing to maintain adequate internal controls before the hack and by overstating its cybersecurity practices. In a press release, the SEC stated, “SolarWinds violated reporting and internal controls provisions of the Exchange Act, and Brown aided and abetted the company’s violation.” Despite the consistency of the SEC’s lawsuit and public statements, SolarWinds CEO, Ramakrishna, has continued to support Brown in the allegations and has stated they believe the SEC’s lawsuit is “misguided and improper.”
The central accusation of the SEC is that SolarWinds was aware of the vulnerabilities in their system – which were then exploited via remote access by the threat actors – and additionally failed to alert their customers to these system failures and potential vulnerabilities. This also appears to be one of the first times the SEC has alleged a company misled investors and failed to disclose cybersecurity risks. SolarWinds has spoken out on the falsity of the SEC’s lawsuit and plans to contest it in court.
Critical Concerns and Security Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) is a branch of the Department of Homeland Security that focuses on protecting federal computer networks from cyberattacks. The breach on December 13, 2020, prompted CISA to release an emergency directive outline that required mitigations for federal agencies to prevent further exploitation of federal information systems. The consensus is that the same code and process that gave Russian hackers the ability to access and steal data from customers, especially government officials, would also allow them to alter or destroy that data. An alteration of any data used in national security measures could be detrimental to the United States and its security.
On December 16, 2020, the White House’s National Security Council activated the Cyber Unified Coordination Group, which is responsible for coordinating a government-wide response to the incident. Additionally, the attack led to CISA issuing Emergency Directive 21-01, which calls all federal civilian agencies to review their networks for any indicators of compromised systems and to delete or suspend the use of SolarWinds’ Orion products and software immediately. The U.S. government has taken extended measures to ensure their networks are secure and threat actors no longer have access to the information that was available via the Orion software.
Conclusion
The unexpected attack on SolarWinds’ Orion software and the exploitation of customers' data, ranging from private to public companies to government agencies, demonstrates flaws in the Orion system. More specifically, how easily data can be accessed, deleted, or even altered to fit an agenda. A routine update, meant to fix bugs and make system updates, resulted in thousands of customers' data being accessed by threat actors and used for purposes unknown to the SolarWinds company or their customers. This incident serves as a warning to companies and government agencies and demonstrates just how easily sensitive data can be accessed. Additionally, it reminds customers that a routine and “normal” procedure can lead to disastrous outcomes and the unwanted sharing of confidential information. The event underscores the inherent risks associated with digital databases and serves as a poignant reminder of the ever-present threat posed by opportunistic actors seeking to exploit vulnerabilities within the digital infrastructure.