Cyber Warfare Case Study: SolarWinds attack 2020

The SolarWinds hack, which was discovered in December 2020, is a recent and significant example of cyber warfare. The hack was attributed to a Russian cyber espionage group known as “APT29” or “Cozy Bear,” and it targeted various government agencies, as well as private sector companies in the United States and other countries.

The hack began with a supply chain attack, in which the attackers used a software update for the SolarWinds Orion network management product to gain access to the networks of SolarWinds’ customers. Once inside, the attackers were able to steal a large amount of sensitive data, including confidential government information and sensitive business information.

The attackers employed several tactics during the attack:

• Advanced Persistence: Once they were inside the networks, the hackers remained undetected for long periods of time, allowing them to steal large amounts of data over extended periods.
• Multi-stage attack: The hackers used multiple methods and tools to gain access to the targeted networks, and to move laterally through them to find and exfiltrate sensitive information.
• Targeted attack: The hackers focused on specific organizations and individuals of interest, rather than indiscriminately attacking all victims.

The attack caused significant damage to the targeted organizations and government agencies, and it exposed the vulnerabilities in the supply chain and the lack of cybersecurity measures in place to protect against such attacks. It also highlighted the potential for nation-state actors to use cyber warfare as a tool for espionage and sabotage.

The SolarWinds hack also had significant implications on the cybersecurity industry, as it exposed the need for better supply chain security and incident response planning. Many organizations have been forced to re-evaluate their cybersecurity plans and invest in better protection, including secure software development, secure configurations, and regular vulnerability scans.

SolarWinds hack

The SolarWinds hack is the commonly used term to refer to the supply chain breach that involved the SolarWinds Orion system.

In this hack, suspected nation-state hackers that have been identified as a group known as Nobelium by Microsoft — and often simply referred to as the SolarWinds Hackers by other researchers — gained access to the networks, systems, and data of thousands of SolarWinds customers. The breadth of the hack is unprecedented and one of the largest, if not the largest, of its kind ever recorded.

More than 30,000 public and private organizations — including local, state, and federal agencies — use the Orion network management system to manage their IT resources. As a result, the hack compromised the data, networks, and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software.

The incident also prompted many governments to take action, such as the U.S. Government issuing an executive order, urging companies to adopt best practices to protect their networks and infrastructure.

Timeline of the major events in the attack:

• Early 2020: The Russian cyber espionage group “APT29” or “Cozy Bear” begins to target SolarWinds, a company that provides network management software to various government agencies and private sector companies.
• March-June 2020: The hackers use a software update for the SolarWinds Orion product to gain access to the networks of SolarWinds’ customers. They use this access to steal login credentials and move laterally through the networks.
• July 2020: The hackers begin using the stolen login credentials to access sensitive data on the targeted networks.
• December 8, 2020: FireEye, a cybersecurity company, discovers that it has been hacked and that the attackers stole its Red Team tools (used for penetration testing). FireEye determines that the attackers used the SolarWinds software update to gain access to its network.
• December 13, 2020: SolarWinds publicly acknowledges that it has been hacked and that its Orion software was used as the initial entry point for the attackers.
• December 14, 2020: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive, urging all federal agencies to immediately disconnect or power down any SolarWinds Orion products on their networks.
• December 15, 2020: The U.S. government reveals that various government agencies, including the Department of Homeland Security, the Treasury Department, and the Department of Energy, have been compromised in the attack.
• December 2020-January 2021: Various private sector companies, including Microsoft, Cisco, and Deloitte, reveal that they have also been compromised in the attack.
• December 2020-onwards: The US Government and the private sector investigate the attack, and various victims work to contain the damage and restore their networks.

Purpose of the Attack:

The purpose of the SolarWinds hack, also known as the SUNBURST attack, is not entirely clear. However, it is believed that the attack was carried out by a state-sponsored hacking group, possibly from Russia. The attack targeted various government agencies and private sector companies, including the U.S. Department of Homeland Security, the Treasury Department, and the Commerce Department, as well as major technology companies such as Microsoft.

It is believed that the primary goal of the attack was to gather intelligence and gather sensitive information. The attackers used the compromised SolarWinds software to gain access to the networks of thousands of organizations, allowing them to move laterally through the network and gain access to sensitive information and systems.

There is also speculation that the attack was intended to disrupt the U.S. government’s ability to respond to the COVID-19 pandemic, as well as to interfere with the 2020 U.S. presidential election. However, these speculations are not confirmed by official sources.

Who was affected

The SolarWinds hack affected a wide range of organizations, including government agencies and private sector companies. Some of the organizations that have been publicly confirmed to have been affected by the attack include:

• U.S. government agencies: The Department of Homeland Security, the Treasury Department, the Department of Energy, the National Institutes of Health, and the National Nuclear Security Administration were among the agencies that were compromised in the attack.
• Private sector companies: Microsoft, Cisco, Deloitte, and many other companies were also affected by the attack.
• State and local government entities: Many state and local government entities were also affected by the attack.
• International organizations: The attack also impacted organizations in Canada, Mexico, and various other countries.

Why did it take so long to detect the SolarWinds attack?

The SolarWinds hack was a highly sophisticated and well-planned attack that was able to evade detection for an extended period of time. There are several reasons why it took so long to detect the attack:

1. Advanced Techniques: The attackers used a range of advanced techniques, such as supply chain attacks and multi-stage malware, which made it difficult for traditional security measures to detect the intrusion.
2. Lengthy timeline: The attackers had access to the SolarWinds system for several months before the attack was discovered, which provided them with ample time to move laterally through the network and gain access to sensitive information.
3. Lack of visibility: Many organizations lack the visibility and monitoring capabilities to detect and respond to these types of advanced persistent threats.
4. Limited use of security best practices: Many organizations do not have the resources or knowledge to implement best practices in their security strategies which gave the attackers an easy way in.
5. Lack of threat intelligence: Many organizations do not have the ability to share information about threats with other organizations or with government agencies, which makes it difficult to detect and respond to attacks that are happening across multiple organizations.

Tools and Techniques used by the Attacker:

Some of the specific tools and techniques used in the attack include:

1. Supply Chain Attack: The attackers used a software supply chain attack to compromise the SolarWinds Orion platform, which is widely used by government agencies and private sector companies. By compromising the platform, the attackers were able to gain access to the networks of thousands of organizations.
2. Malware: The attackers used a multi-stage malware called SUNBURST to compromise the targeted systems. The malware was able to evade detection by traditional security measures and give the attackers access to sensitive information.
3. Lateral Movement: Once the attackers had access to a targeted system, they used a range of tools and techniques to move laterally through the network, gaining access to sensitive information and systems.
4. Credential Harvesting: Attackers used a technique called “credential harvesting” to steal login credentials and gain access to sensitive systems and data.
5. Encryption: The attackers used encryption to hide their activities and evade detection.
6. Command and Control: The attackers used a variety of techniques to establish a command and control infrastructure that allowed them to maintain access to the compromised systems and exfiltrate data.

Naming the attack: What is Solorigate, Sunburst, and Nobelium?

The SolarWinds attack has a number of different names associated with it. While the attack is often referred to simply as the SolarWinds attack, that isn’t the only name to know.

• Sunburst. This is the name of the actual malicious code injection that was planted by hackers into the SolarWinds Orion IT monitoring system code. Both SolarWinds and CrowdStrike generally refer to the attack as Sunburst.
• Solorigate. Microsoft initially dubbed the actual threat actor group behind the SolarWinds attack as Solorigate. It’s a name that stuck and was adopted by other researchers as well as the media.
• Nobelium. In March 2021, Microsoft decided that the primary designation for the threat actor behind the SolarWinds attack should actually be Nobelium — the idea being that the group is active against multiple victims — not just SolarWinds — and uses more malware than just Sunburst.

Recovery/Protection from such an Attack:

Recovering from a cyber attack such as the SolarWinds hack can be a complex and time-consuming process. Here are some steps that a company can take to begin the recovery process:

1. Containment: The first step is to isolate the affected systems and networks to prevent the attackers from gaining further access or causing more damage. This may involve shutting down affected systems, disconnecting from the internet, or other measures to limit the attackers’ access.
2. Identification: Once the systems have been isolated, it is important to determine the scope of the attack and identify which systems and data have been compromised. This may involve reviewing logs, running forensic analysis tools, or conducting internal investigations.
3. Remediation: After identifying the systems and data that have been compromised, it is important to take steps to remove the attackers’ access and restore the systems and data to their original state. This may involve patching vulnerabilities, restoring backups, or rebuilding systems from scratch.
4. Review: After the systems and data have been restored, it is important to review the incident to identify what went wrong and how it could have been prevented. This may involve conducting security assessments, reviewing incident response plans, or implementing new security controls.
5. Notification: If personal data was compromised, it’s important to notify the affected individuals and comply with any legal requirements for data breach notification.
6. Continuous monitoring: To prevent future attacks, it is important to continuously monitor the network for signs of compromise or suspicious activity. This may involve deploying intrusion detection systems, implementing security information and event management (SIEM) tools, or engaging in threat-hunting activities.

Conclusion:

In conclusion, the SolarWinds cyber attack was a highly sophisticated and well-planned operation that targeted a wide range of organizations, including government agencies, technology companies, and critical infrastructure providers. The attack was able to remain undetected for months, allowing the attackers to gain a significant foothold in the affected networks. This highlights the importance of continuous monitoring and incident response planning to quickly detect and respond to cyber-attacks.

The attack also demonstrated the potential consequences of a cyber attack on the power grid, as it could have resulted in significant disruption to the power supply and widespread blackouts. This highlights the need for increased security measures to protect critical infrastructure from cyber attacks.

Recovering from a cyber attack of this nature is a complex and time-consuming process, involving steps such as containment, identification, remediation, and review. It’s important for companies to have a well-developed incident response plan in place and to be prepared to engage with external experts such as cyber security consultants and forensic investigators to assist in the recovery process.

Overall, the SolarWinds attack serves as a stark reminder of the ongoing threat of cyber warfare and the importance of maintaining a robust cyber defense. The need for cyber security awareness and readiness will only continue to grow in the future.