SUNBURST and Supply Chain Attacks
Recently, a global intrusion campaign has been making headlines. The campaign exploits SolarWinds Orion software, and roughly 18,000 of SolarWinds’ customers have been compromised. This article provides an overview of the campaign’s discovery, the type of cyberattack used, the type of software affected, and resources for those with compromised networks.
The intrusion campaign compromised organizations within both the private sector and the government sector. One of the first reported victims was FireEye, a renowned cybersecurity company. On December 13, just a few days after Kevin Mandia reported that FireEye suffered a “highly sophisticated” state-sponsored cyberattack, FireEye reported their discovery of the global intrusion campaign. On that same day, Christopher Bing of Reuters reported that the U.S. Treasury and Commerce departments were spied on, and the Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, which orders federal agencies to inspect their networks for signs of compromise. Unfortunately, although the intrusion campaign was recently discovered, FireEye notes that the campaign is ongoing and may have actually started in the spring. Thus, the attackers may have been spying on SolarWinds’ customers for almost a year.
The global intrusion campaign made use of a supply chain attack. The National Institute of Standards and Technology (NIST) defines software supply chain attacks as “compromising software code through cyberattacks, insider threats, [and] other close access activities at any phase of the supply chain to infect an unsuspecting customer.” The development of any kind of software often includes a “maintenance” phase, where bug-fixes and other updates are released to customers. According to a security advisory by SolarWinds and an article by FireEye, the attackers inserted malware named SUNBURST into SolarWinds Orion software updates, making them “trojanized” so that a part of the software framework became a backdoor for the attackers. A backdoor is an access method that allows unauthorized users to bypass normal security measures. Attackers can use backdoors like SUNBURST for espionage. As discussed in previous blog articles, Trojans (or Trojan horses) are malware disguised as harmless software. Trojans are typically disguised as installers for legitimate software. The supply chain attack was insidious in that the Trojans were updates to preexisting software, which IT professionals are eager to download.
Jake Williams of SANS notes that supply chain attacks are uncommon. He elaborates on why the recent attack “is one of the most potentially damaging attacks we’ve seen in recent memory.” The SolarWinds Orion software is a Network Management System (NMS). An NMS is used to monitor and maintain a network, including the devices connected to it, which makes it an ideal target for attackers. SolarWinds Orion is a very popular NMS used by over 300,000 customers around the world, making it a particularly damaging target for attackers.
Various resources are available to help organizations with networks that may be compromised. SolarWinds provides a list of known affected SolarWinds Orion products and the steps to upgrade them to safe versions. Note that the trojanized versions are 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. FireEye provides an FAQ page with SUNBURST information and a GitHub repository full of signatures that can be used to detect SUNBURST. Federal agencies must follow Emergency Directive 21-01, which lists actions they must take if they use SolarWinds Orion products.
Whenever an organization uses third-party software to handle one aspect of business operations, including managing their IT infrastructure, there is always the risk that the software may be compromised by malicious actors. Third-party software is often convenient and useful for organizations that do not have the means or the time to make or find an in-house solution. However, the convenience of third-party software must be weighed against the risk of a security breach and the potential fallout. IT professionals should keep track of third-party software used in their infrastructure, watch out for security issues, and determine whether or not the software is truly necessary.