The SolarWinds attack is the most astonishing breach of 2020. The cybercriminal’s creativity, persistence, and resources were rather remarkable. I found it interesting since it triggered a much larger supply chain incident that affect thousands of organizations, even including the U.S. government. We take a look at how this attack was carried out and managed to be so catastrophically successful.
The attackers took advantage of the less secure elements in the supply chain and infiltrated thousands of organizations downstream. According to Microsoft, evidence suggests that attackers have been testing their ability to insert code by adding empty classes to SolarWind’s code. This work is said to have started in October 2019.
Eventually, the attacker successfully inserted malicious code into a DLL component of the official software. Then, the compromise DLL was distributed to the organizations via updates. When the update software starts up, compromise DLL loads backdoor capabilities. The backdoor runs a checklist to be sure that it is running on a compromised network, it then connects to a command and control server to receive new orders including additional CNC domains, it also funnels gathered information to the attacker. The backdoor can execute commands sent by the attacker, therefore it can perform credential theft privilege escalation or lateral movement.
This breach has affected companies like Fireye, Microsoft, and Cisco. No company is immune to well-planned and cleverly executed attacks such as this one.
When we think about the conflict, there’s air, land and sea, and space and now we have cyber. But in cyber, the private sector is front and center. Any conflict in cyberspace, whether motivated by a criminal element or motivated by geopolitical conditions, it’s going to involve both the government and the private sector. That’s the reason why cybersecurity remains a critical challenge for most businesses, large and small.
Links to the original articles: