The Radiflow Security Blog
Behind the News: the SolarWinds Security Attack
By Ilan Barda, CEO, Radiflow
Earlier this week it was revealed that SolarWinds, whose Orion software is a very popular tool for managing IT networks, has been a victim of a massive supply chain attack that had affected thousands of businesses as well as US government agencies.
The attack involved penetrating the SolarWinds network and infected an official update version of the Orion software. As a result, over a period of several months, malware-weaponized Orion updates were downloaded around 18,000 times, which allowed the malware to enter the customers’ internal network.
Once installed in the customer’s network the malware was able to communicate with its external control by masquerading SolarWinds’ own protocol and applying multiple additional detection-avoiding mechanisms, such as C&C servers in the victim’s country and others.
According to some sources the attack was perpetrated by government-sponsored hackers (allegedly Russia) aiming to penetrate critical US networks.
Behind the News: Key Takeaways
- First, the very sobering news: while supply-chain attacks are nothing new, it’s fair to say that this is one of the most severe of its kind. If SolarWinds’ Orion was hacked, we should assume that any such software provider can be hacked.
- Furthermore, from past experience, once a sophisticated attack like this one occurs,
tactics and vulnerabilities used in this attack will very likely be duplicated (although with less sophistication) by cybercrime actors to achieve their goals (eg financial gain, extortion, etc.)
- And with too many ICS networks inadequately protected as it is, we can expect to see more and more incidents of attackers taking control over industrial networks through Compromised central Management Systems.
- As for who’s behind the attack: while the SolarWinds breach was attributed to nation-state sponsored (in this case Russia) hackers, unaffiliated actors will likely copycat this attack’s methods and TTPs, for pure financial gain.
Prevention: Continuous Threat and Risk Monitoring
- Supply-chain attacks manifest in changes to network behavior (e.g. a device detected communicating with external IP address). Therefore, industrial networks need to be continuously monitored to detect any change in network patterns.
- To effectively protect your network, you need to know your network risk. In the SolarWinds attack, the first-stage malware was in total stealth mode for 14 days from its first installation. This indicates that periodical (annual or even quarterly) risk assessments no longer suffice; risk analysis needs to be performed continuously so it can be quickly updated to reflected newly-published attacks.
- Finally any risk analysis and resulting risk mitigation plan should take into account that OT network are not infallible and can be breached, and therefore account for resiliency and contingency mechanisms.