The SolarWinds hack explained
The SolarWinds security breach is perhaps the most widespread and damaging internet hack yet discovered. Microsoft President Brad Smith called it, “the largest and most sophisticated hack the world has ever seen.” First revealed by private cybersecurity firm FireEye, this security breach may have affected around 18,000 internet users from early 2019 to late 2020.
Believed to have been orchestrated by Russian hackers, the SolarWinds attack left scores of data unprotected for an unprecedented period of time at both private companies and in several key departments of the federal government. The full extent of the SolarWinds hack is still being understood, but the attack was delivered via a routine software update in a supply chain breach.
Other names for the SolarWinds hack
SolarWinds Corp is the name of the Texas-based IT company that inadvertently delivered the infected files to hundreds of US companies and government agencies. The attack was not originated by SolarWinds, which is an networking software company designed to help other companies manage their IT needs.
The SolarWinds attack may also be referred to as:
- Solorigate: This is a term initially popularized by Microsoft, once it discovered that it had been targeted by the infected DDL file as a user of SolarWinds’ services.
- Sunburst: Sunburst refers to the actual malicious code inserted into the SolarWinds file.
- Orion: Orion is the SolarWinds software update that was infected with the bug, and downloaded onto users’ computers, delivering the virus.
- UNC2452: This is the technical term given to the malware by security firm FireEye, the first to discover the breach.
- Nobelium: Nobelium is now understood to be the Russian cyber criminal group likely behind the SolarWinds hack, and suspected to be continuing to target other government agencies and NGOs to this day.
How the SolarWinds hach happened
The dialogue box pops up, and the message is simple: Routine software update necessary. Any system user is familiar with the message, and has carried out the simple download and restart process regularly enough to not be suspicious of it. We often know very little about what’s actually being fixed in a routine software update – it’s enough to read the term “bug fixes”, and most users will click install without thinking twice.
The SolarWinds security breach happened through this kind of routine software update. A malicious Trojan Horse virus was inserted into lines of code in a regular update, and was then downloaded onto users’ computers as part of the standard package through SolarWinds’ Orion networking monitoring software. After the tainted update was downloaded and installed, an Internet connection enabled the virus’s access to the entire system.
This simple but devastating style of hack is known as a supply chain breach. It’s a relatively common way of attacking certain otherwise secure platforms. By infecting a neutral third party (in this case, SolarWinds IT software) with malware, bad actors can burrow their way into a wide variety of companies and agencies in one fell swoop.
Timeline of devastation
- As early as January 2019, hackers may have inserted malicious lines of code into the SolarWinds update, according to CEO and President of the company Sudhakar Ramakrishna.
- March 26, 2020: SolarWinds starts unknowingly sending out infected updates to the companies that it serves.
- December 2020: Private cybersecurity firm FireEye conducts their own internal analysis and discovers that they have been hacked. They continue to conduct an audit to discover the malicious Trojan horse hidden in over 50,000 lines of code, and raise the alert that other companies may have been infected as well.
One of the important factors that makes the SolarWinds hack so devastating is its unnaturally long dwell time. Dwell time in cybersecurity is defined as the length of time between when a hacker or virus first infiltrates a system, and when the host discovers the breach. In 2019, the average dwell time was 95 days. The SolarWinds hack, however, lasted around 14 months before being discovered.
Who was affected by the SolarWinds hack?
According to SolarWinds, 18,000 customers may have downloaded the infected update between March and June of 2020. SolarWinds has over 300,000 companies that it serves, however, so the full extent of the data breach is still being understood.
At least 100 major companies such as Microsoft, Deloitte, Cisco, Intel, are believed to have been affected by the SolarWinds hack, according to the latest data. In addition, several departments of the US government were exposed to the security breach. Some of the federal departments whose servers were affected include the State Department, the National Institute of Health, the Department of Homeland Security, the Departments of the Treasury, Justice, Commerce, and others.
How the hack may affect cybersecurity in the future
- Sanctions against Russia: The impact of the SolarWinds attack has already been felt on foreign policy. In April of 2021 the US government issued a directive to place sanctions on a variety of Russian assets, expelling ten diplomats as well. The sanctions are in response to concerns that the Russian government is linked to the cyber criminals, posing a threat to national interests.
- Private companies may play a larger role in revealing government data security weaknesses: Much of the information about the SolarWinds attack came from private companies such as FireEye and Microsoft, who were instrumental in pinpointing the source of the breach. Upsettingly, the Departments of Homeland Security and US Cyber Command were blindsided by the attack until they were alerted by FireEye’s audit. Currently, Microsoft continues to warn about Nobelium’s role in threatening governmental cybersecurity.
- The creation of a new government role: As the Biden administration attempts to double down on cybersecurity, a new role has been created on the National Security Council, or NSC. Cybersecurity veteran Anne Neuberger has been named the first Deputy National Security Adviser for Cyber Security, signaling a strengthened sense of priorities when it comes to protecting government data.
The full effects of the SolarWinds hack are still being felt and understood by the global community. As the situation continues to unfold, more companies may discover that their own data security was breached in the SolarWinds attack. The threat of Nobelium and the SolarWinds hack is classified as “ongoing” by officials. In many ways, SolarWinds was a wakeup call to the need for better cybersecurity for both private companies and local, state, and federal levels of government.