Kaitlynn Belmont, Eleanor Parker, Federico Bertola, Maaz Qureshi, Hubert Zhang, Dayna McNeil, CICYBER Team
December 28, 2020
Unknown to the numerous federal agencies, Fortune 500 companies, and private sector firms it infiltrated, the cyber intrusion known as the SolarWinds attack has been quietly acquiring data for months. It is believed the purpose of the attack was for Russia, the nation-state believed to be behind the attack, to further their intelligence gathering and capabilities. Their ability to go undetected while carrying out the cyber intrusion further intensifies the tensions between Russia and the United States. The attack was able to circumvent the cybersecurity measures of some of the top security firms in the US for eight months, which causes immense concern for the unknown, such as what was the intended target, what information has been compromised, and what else has the US missed in reference to other points of vulnerability. The question now is how the US should respond. The US' national security has been severely compromised as a result of Russia's SolarWinds breach which may have devastating implications for the US and its foreign allies and their interests; further, a US-led response to the attack may include striking back at Russia by directly targeting its infrastructure and intelligence gathering capabilities.
The SolarWinds hack has emerged as one of the largest ever cyberattacks against the US government, its agencies, and private companies; in fact, it is likely a global cyberattack as foreign actors and their interests have been compromised. It was first discovered by the U.S. cybersecurity company FireEye on December 8, 2020, with a report detecting an attack on its systems: they claimed that the company was attacked by a highly sophisticated threat actor, presumably a state-sponsored actor. On December 13, 2020, FireEye announced that the cyberattack began in March 2020 and had been ongoing for months; further, it was identified that the attack was not limited to the company but had targeted various public and private organizations around the world.
The attack targeted the IT management software Orion, supplied by an Austin-based company called SolarWinds, used by hundreds of thousands of organizations globally. In March, SolarWinds provided an update of its systems to its customers that unwittingly included the malicious code. Once installed, the malware created a backdoor entry for hackers, giving them access to the systems and networks of SolarWinds’ customers worldwide. This attack can be classified as a ‘Supply Chain’ attack because instead of directly hitting the target network, the hackers targeted a third-party vendor, which supplied software to them. The supply chain as a whole can only be secured when all entities throughout the supply chain carry out effective and coordinated security measures to ensure the integrity of their networks, minimizing the risk of having a weak link in the chain that could compromise the entire system.
The threat actors had unauthorized access to SolarWinds’ software since at least October of 2019 when they conducted a cyberespionage operation similar to the one they conducted in March 2020. The attackers injected malicious code into SolarWinds’ Orion software, distributed to customers via updates on October 10, 2019. However, unlike the March 2020 attack, the malicious code injection lacked a backdoor exploit that would grant attackers access to the victims’ systems. The attackers were likely testing their capacity to infiltrate and edit the company’s software and networks without detection before implementing a backdoor exploit to conduct the March 2020 attack. The fact that threat actors remained undetected inside critical US institutions and global companies for such a long period, highlights how US and global companies can be silently compromised without having the consciousness of the hidden menace, allowing attackers to gain information and access to the sensitive flow of data and critical networks, having the potential to cause economic, political or social repercussions. This highlights the concerning capacity of Russian cyberintelligence agents to infiltrate American companies and government institutions and maintain their presence undetected for years at a time. During this time they gather intel on the company and its vulnerabilities, allowing them to plan and refine their attack operations.
SolarWinds claims that 18,000 of its clients were impacted, including parts of the Pentagon, State Department, the Department of Justice, and public and private organizations all over the world. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive asking all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. Additionally, to remediate the situation, the National Security Council (NSC) has launched a task force called Cyber Unified Coordination Group (UCG) comprised of the Federal Bureau of Investigation (FBI), the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA), and CISA to further collect and analyze evidence relevant to the attack. The agencies have designed a thorough investigation process which consists of identifying victims, collecting evidence, analyzing evidence, information sharing, integrating the Intelligence Community (IC), and providing situational awareness and expertise. The UCG will likely continue to assist affected organizations and cooperate with other agencies as necessary in the coming months. Regarding the attack’s attribution, federal investigators and cybersecurity experts state that Russia’s Intelligence Service, also referred to as Advanced Persistent Threat (APT) actors, is likely responsible for the attack and most recently discovered, ongoing cybersecurity incidents of public and private sectors. However, Russia’s Embassy within the US has denied their involvement with the breach, and President Trump had suggested with a Tweet that Chinese hackers may have been behind the attack.
The ongoing attack only places the already strained relationship between Russia and the United States under pressure and demonstrates Russia’s omnipresence in the future cybersphere of the United States, and, arguably, the global cyber domain. Whilst the motive still remains unclear, Russia could be using the ‘SUNBURST’ malware to spy on U.S. activities or assert Russian dominance across the global cybersphere. CISA states that it is ‘likely’ that the full scope of malware activity has ‘not yet been discovered’ and that it will be ‘highly complex’ to remove and could remain undetected in certain networks for months. The SolarWinds attack also reveals the fragility and questions the security of such U.S. software and IT organizations, especially as SolarWinds was warned in 2019 that its update servers could be accessed through using the password ‘solarwinds123.’ While any company is at risk of cyberattack at any given time, the negligence of SolarWinds toward its cybersecurity measures in 2019, certainly appears to have exacerbated the severity of the 2020 attacks.
Recent investigations reveal that one of the domains originally used to control systems, ‘avsvmcloud[.]com’, was reconfigured as a ‘killswitch’ that would cause the SUNBURST malware to cease operation in some circumstances, dependent upon the IP addresses returned. Whilst this killswitch diminishes the ability of cybercriminals to utilize the previous versions of SUNBURST, it will not remove it from networks where other backdoors have been established. While Microsoft, GoDaddy, and FireEye are collaborating to identify which organizations have been attacked by the SUNBURST malware with the goal of ceasing its operation, the level of complexity of the malware will likely ensure it remains an ongoing threat to corporations for some time. This is only exacerbated by the fact that many organizations have disconnected their Orion services or have blocked their systems from accessing malicious domains in an attempt to protect their servers, reducing the ability of third-parties to identify these affected organizations.
SolarWinds will inevitably face lawsuits for its aforementioned poor cybersecurity measures and subsequent poor handling of the attacks; those who may have installed the Orion products with the malicious update make up 45% of SolarWinds’ total revenue, placing the figure at an approximate total of $343 million USD. Even as late as December 14, 2020, GreyNoise Intelligence founder Andrew Morris reported that SolarWinds had still failed to remove the compromised Orion updates from its servers. This suggests that either SolarWinds was facing a particular struggle in removing the updates from its online servers or that its cybersecurity measures and protocols are as poor as previously suggested. Upon reflection, whilst the attacks have caused great economic, political, and social hardship, they should serve as a harsh reiteration to organizations of the importance of maintaining strong cybersecurity and defense measures.
Asides from the aforementioned economic consequence of lawsuits facing SolarWinds, the attacks may lead to a loss of revenue for affected companies, especially if such companies do not respond to the attacks effectively as this could result in a loss of trust and business from loyal customers who are worried about security implications. The technological vulnerabilities that the attack exposed will also require rectification so as to prevent further exploitation from cyber criminals, a process that could cost companies thousands in capital. The attacks unveiled the fragility of company security systems as hackers were able to monitor data from a range of ‘key US government departments’, meaning that private and important information has been released to these cyber criminals concerning matters of US defence, homeland security, and commerce. As well as the alarming impact that this will have on the security of the US government, this also may lead to members of the public losing faith in the US government if individuals feel that themselves and their information is not being protected by their country.
Numerous US government agencies and Fortune 500 companies have been affected by this attack. The vulnerable SolarWinds Orion versions include 2019.4 HF5, 2020.2, and 2020.2 HF1. It is likely the breach affected more than 18,000 agencies and companies, according to SolarWinds. The information exfiltrated from the organizations was heavily dependent on the industry they were involved in, although an emphasis was placed on extracting government information. Among the most prominent infiltrations were FireEye, the Department of Homeland Security (DHS), the Commerce Department, and the Treasury Department. The only intelligence these organizations released concerning exfiltrated data was email communications, although it can be speculated that much more was accessed. A GitHub repository is currently documenting compromised domains and IPs. This list is an exhaustive list of the domains used by the SunBurst malware that can be used in signature-based detection software. A preliminary list of major agencies and companies affected can be found on Business Insider. CTG has compiled a more comprehensive and complete list of breached organizations, seen in the figure below.
Figure 1. Partial List of Organizations Affected by SunBurst
__________________________________________________________________ The Counterterrorism Group (CTG)
 “FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community”, FireEye, 2020 https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html
 “Kevin Mandia: 50 Firms ‘Genuinely Impacted’ By SolarWinds Attack”, CRN, December 2020 https://www.crn.com/news/security/kevin-mandia-50-firms-genuinely-impacted-by-solarwinds-attack
 “CISA Issues Emergency directive to mitigate the compromise of SolarWinds Orion Network Management Products”, CISA, December 2020 https://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
 “National Security Council launches task force to investigate Solar Winds cyberattack”, THomeland Preparedness News, January 7, 2021 https://homelandprepnews.com/stories/59941-national-security-council-launches-task-force-to-investigate-solar-winds-cyber-attack/
 “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce”, The Washington Post, December 2020 https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html
 “SolarWinds hack that breached gov networks poses a “grave risk” to the nation”, Ars Technica, December 17 2020, https://arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks/
 “A security expert reportedly warned SolarWinds in 2019 that anyone could access the company's update server with the password 'solarwinds123'”, Business Insider, December 15 2020, https://www.businessinsider.com/solarwinds-warned-weak-123-password-could-expose-firm-report-2020-12?r=US&IR=T
 “Malicious Domain in SolarWinds Hack Turned into ‘Killswitch”, KrebsOnSecurity, December 16 2020, https://krebsonsecurity.com/2020/12/malicious-domain-in-solarwinds-hack-turned-into-killswitch/
 “SolarWinds Hack Could Affect 18K Customers”, KrebsOnSecurity, December 15 2020, https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/
 “US cyber-attack: US energy department confirms it was hit by Sunburst hack”, BBC News, December 18 2020, https://www.bbc.co.uk/news/world-us-canada-55358332
 “These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia”, Business Insider, December 15 2020, https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12?op=1