listen to this article:

solarwind breach

On January 5, 2021, several US government agencies formally blamed a nation-state entity named “Cozy Bear” – widely thought to be of Russian origin – for infiltrating at least 18,000 US-based private networks and government agencies. The attack resulted in the distribution of malware called SUNBURST. It was hosted on SolarWinds’ updates between March and May 2020.  It was estimated that some ten government agencies were impacted negatively by the attack, which infiltrated the popular network management program SolarWinds Orion.

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) have all swiftly banded together to launch a full-scale investigation into the attack and its implications.[1]

The Magnitude of the SUNBURST Attack

An official SolarWinds filing with the Securities and Exchange Commission on December 21, 2020, estimated that the following US government agencies were affected:

  • Commerce Department
  • Treasure Department
  • Department of Homeland Security
  • State Department
  • National Institute of Health
  • Justice Department
  • Defense Department
  • Energy Department
  • National Nuclear Security Administration

The SolarWinds attack has been dubbed by some as the “Pearl Harbor of IT” and while no single tool or technology could have prevented this level of premeditated national cyber-attack, there are certainly lessons to be learned, both in terms of prevention and detection.

Explaining SUNBURST: Another Cas of Supply Chain Attack

Back in March 2020, “Cozy Bear” first launched this attack by injecting malicious code into SolarWind’s Orion software. This is a common form of attack known as the supply chain attack.

Orion is a platform for IT infrastructure monitoring and management, which processes and stores the network security data from monitored devices for detecting, diagnosing, and resolving network problems. In other words, Orion is the conduit for the end-user to receive information about the health of their private network system. SolarWinds Orion is specifically designed to monitor the networks of systems and report on any security problems, so they have access to almost everything, which is what made them such a perfect conduit for this compromise.

Why SUNBURST Stayed Undetected

The situation begs the question: If Orion is indeed a diagnostic tool, how did a cyber-attack of this magnitude remain undetected for over 10 months by such critical holders of secrets? There are two answers – one situational, one technical.

Distraction

First, it bears noting that March 2020 marked the height of ancillary distractions, the political noise, as well as the COVID-19 pandemic that was quickly propagating across the United States and other parts of the Western world. A sudden shift to work-from-home environments for many, but most of all the tech industry – was easily matched with a new norm and overloading of news, anxiety over the pandemic, and questions about how to continue daily life – left professionals more distracted and vulnerable to make mistakes. The climate was a perfect recipe for hackers – distraction can be a gateway to existing vulnerabilities.

A Perfectly Crafted Attack

Second, if distraction wasn’t enough, the attack was well thought and carried out, resulting in such a monumental breach that it was difficult to detect:

  • The attack included code signed by SolarWinds itself, lending the supplanted malicious code an air of legitimacy.
  • Attackers kept their profile low, using temporary file replacement techniques and establishing legitimate remote access to existing systems.[2]

It is worth noting that instead of attacking government agencies directly, the attackers targeted FireEye and Microsoft to steal tools and code that would then enable them to compromise their targets from the inside, or via the “Supply Chain.”

After Microsoft realized it was breached via the SUNBURST attack, it then discovered its own security products were used to ”further the attack on others.” This means that the potential set of victims is not just the 18,000 organizations who downloaded the compromised updates, but also all those 18,000 organizations’ customers, and the clients of those second-hand customers, and so on.

The NSA’s statements about the attack imply that it also involved a breach in the security of token-based authentications in the Orion system. The NSA warned as well of a scenario where the attackers gained administrative rights that were used to add malicious certificate trust to cloud tenants.

The Business Impact on SolarWind

There are very few tech alerts or newsletters that are not leading with stories of this attack with additional thinking, areas of impact, and many theories. SolarWinds is being held accountable for the attack, facing a class-action lawsuit from a Texas-based shareholder who claims executives violated federal securities laws over the breach. The lawsuit makes preventing attacks more relevant than ever for businesses looking to avert the high financial cost of a cybersecurity breach.

What Are Businesses To Do?

Let’s begin with the bad news: it is almost impossible to totally prevent nation-sponsored attacks; cyber-attacks are getting more frequent, and the COVID-19 epidemic has seen a 400% spike in such attacks since March 2020.[3]

One of the important things that organizations can do, however, is secure their systems by avoiding single points of failure throughout their critical infrastructure – particularly when it comes to signing code.

If there is one positive outcome to the SolarWinds attack, it is that there is now a spotlight on the need to protect the cryptographic keys used for code signing – both from theft and from misuse.

Implementing Best Practices: Unbound CORE Information Security

When it comes to cryptographic keys, Unbound Security believes that you can’t be too careful. Unbound’s CORE technology not only secures the storage of cryptographic keys, it also ensures keys are not misused and that careful audit and control are maintained at all times. The platform uses uses secure MPC (Multi-Party Computation) technology to perform these functions and eliminate single points of failure in management operations and runtime transactions.

Key Protection for Code Signing

Signing sensitive code requires extra care in assuring that the signing is done using keys that are well protected and that strict controls are in place to ensure that only legitimate requests to use these keys are enabled. MPC enables one to cryptographically enforce rules that govern the use of keys for operations such as code signing.  It can enforce for example that only code that was scanned by malware detection tools is signed.  Similarly, it can enforce that code being signed was reviewed, that the request was authorized by relevant persons, etc.

Key Protection for Authentication

Unbound’s CORE system also helps protect against malicious attacks on an organization’s token-based authentication systems. Such an attack involves compromise of the private key used for example to sign SAML (Security Assertion Markup Language) tokens. The compromised private key is then used to forge trusted authentication tokens — to access cloud resources, for example.

Any enterprise using token-based authentication based on technologies such as SAML, OCID, OAuth, FIDO, or WebAuthn must ensure that the private keys used to sign authentication tokens are properly secured against compromise and misuse.

Factoring In Cloud Architecture

The NSA has one more warning in the aftermath of the 2020 SolarWinds attack: the imperative to be on the lookout for scenarios where attackers gain access to administrative rights so they can add malicious certificate trust to the cloud. This underscores the importance of securing administrative actions related to cloud cryptography services.

Unbound’s approach is to lock down and secure credentials used to administer cryptography services on the cloud, such that human admins do not perform any cryptography-related setup directly on the target cloud environment.  This is similar to the well-accepted approach used for secure PAM (privileged account management).

In Conclusion

Organizations not yet doing so should ensure secure implementation of code signing, lock-down of cryptographic keys used for authentication, and elimination of single points of failure related to key management and prevention of misuse. Lastly, incorporating effective detection of such break scenarios is clearly required.

[1] “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA).” Cybersecurity and Infrastructure Security Agency CISA, Cybersecurity and Infrastructure Security Agency, 5 Jan. 2021.

[2] Constantin, Lucian. “SolarWinds Attack Explained: And Why It Was so Hard to Detect.”

[3] “Coronavirus Is Now Possibly the Largest-Ever Security Threat – Here’s How We May Be Able to Tackle It: Perspectives: Reed Smith LLP.” Coronavirus Is Now Possibly the Largest-Ever Security Threat – Here’s How We May Be Able to Tackle It | Perspectives, Reed Smith, 2020,