You’re likely not a target of the SolarWinds breach but you still need to secure your digital supply chain.

On the evening of December 13, 2020 I imagine a lot of information security professionals had their quiet Sunday disturbed by the joint disclosures from FireEye and SolarWinds about a compromised component of the software. There’s a lot of good analysis from FireEye and CISA; many others have published great write ups as well. The compromised component allowed remote access to victim networks. It is highly likely that this was a Russian intelligence operation based on technical analysis.

Of the estimated 18,000 organizations that downloaded and installed the malicious software containing SUNBURST (also known as Solarigate), we know that at least 40 organizations - are reported to show signs of compromise by the threat actor behind SUNBURST, the threat actor is code named COZY BEAR.

On the low end that means that ~0.1% of companies that use SolarWinds Orion experienced an actual breach (40 of 33,000); that’s past tense as the command and control infrastructure that is used to manage the malicious code has been neutralized, detection signatures have been widely deployed and the malicious code removed from SolarWinds. I personally doubt that the number of victims will exceed 1%. The threat actor is almost certainly Russian intelligence and they’re not known for financially motivated ransomware attacks; they’re not going for mass exploitation, this is not a smash and grab. COZY BEAR went after targets of significance to Russian national interests; they did so slowly and carefully to avoid detection over several months. The vast majority of SolarWinds customers are likely not in the targeting selector for Russian spies. The nature and style of attack means that each breach required a lot of manual careful work; the backdoor was widely deployed to get to the desired targets but it wasn’t being used en masse to compromise every target.

There is a very strong possibility that even if you had the malicious code in your network, nothing happened. You still need to remove the malicious code, check your logs and follow the other recommendations made by SolarWinds, FireEye and Microsoft.

Using reliable threat intelligence and thoughtful analysis means organizations can make informed decisions about how to respond and where to allocate their limited resources. In this case, the threat intelligence tells us we can move quickly but calmly.

This is not the first significant supply chain compromise - software vendors and open source projects have been a target of hackers for years. Lookup CCCleaner (twice), Handbrake, NPM (NodeJS), RubyGems and M.E. Doc for just a few over the last decade.

Hackers, whether financially motivated or undertaking intelligence operations, will seek out the biggest return on their investment. Going after the software supply chain has significant return; compromise one, breach many. It has the potential to be an internet scale attack.

Malware, even the well engineered malware that was found in SolarWinds (codenamed SUNBURST or Solarigate) is not autonomous, it is not intelligent. Threat Actors benefit from keeping their initial malware as small as possible. Not only does this increase reliability and reduce the chance of detection, it is also allows for a layered or staged attack. As a hacker, you don’t want to deploy your “weapons” into some security researcher’s lab environment that can be used to dissect your malicious code; to avoid this you separate your malware into stages. The first stage checks that the network or system you’re on is safe to download more malicious code to undetected. If it’s safe to do so, the first stage downloads the second stage payload that has more capabilities. Once the second stage is downloaded and launched, the threat actor gains control of the system running SolarWinds. From there, the threat actors moved quietly through their victim’s network seeking other less obtrusive routes to gain and persist access. The move away from SUNBURST once the initial compromise was completed helped the stay under the radar and is probably one of the reasons that SUNBURST went undetected for so long.

The SolarWinds attack was sophisticated; the code was engineered to evade detection but more importantly the threat actors showed restraint in their use of the backdoor and strong operational security. The trade craft that the threat actors showed is what makes this sophisticated, the malicious code itself is well thought out but not particularly special. Public estimates are that 18,000 SolarWinds customers installed the compromised software. There are public repositories of unique domain names that show that at least 1,000 ran the software; there are likely many more.

Thousands of companies had the first stage (inside SolarWinds); very few are reporting that they got the second stage. SUNBURT’s first stage did its checks and then phoned home to the threat actors command and control infrastructure with an encoded message. That message has been decoded by Microsoft, QQ and others - it contains enough information to tell the threat actors the name of the network (generally some variant of the company name). It is likely that the threat actors were looking for specific networks and the Microsoft analysis also shows they knew which networks to avoid. When SUNBURST sent its initial phone home, it contained enough information to tell the threat actors command and control infrastructure whether it was a target of interest. It’s likely that the vast majority of the compromised SolarWinds instances never got follow on commands.

Bottom line: A well thought out and very focused attack; most organizations should be concerned enough to clean up and review logs quickly but not so concerned as to take drastic action.

How do we defend against this in the future?

• Defense in depth - layered and complimentary controls… logging, active monitoring and threat hunting, Anti-virus along with Endpoint Detection and Remediation, patching along with configuration hardening, strong passwords along with two factor authentication, network segmentation and zero trust, access governance and privileged access management, behavioural analytics and threat intelligence, and the list goes on…
• Asset and configuration management - know everything that’s in your network so that you can respond quickly and understand the impact of potential breaches.
• Talk with your vendors about the security of your supply chain (and theirs) - Wade Baker published a great dissertation thesis on what good practices are to encourage stronger supply chain security.

Things that likely won’t work:

• Reviewing vendor code - unless it’s open source, most vendors won’t let you see their code. Even if you could see the code, how many products do you have in your environment, how often are they getting updated, how big is the code base and how many days will it take to get familiar with the code base? You likely don’t have enough security staff.
• Testing updates for signs of malicious code - attacks like this are designed to detect if they’re in a lab and shutdown to evade detection. SUNBURST waited at least 12 days before it did anything; how long are you willing to wait?
• Vendor assessments - Vendor assessments are not sufficiently predictive. Vendors either won’t realise they have holes in their security or won’t tell you (they’re financially motivated to tell you everything is fine). With a little irony (and lots of empathy) I point out that Solarwinds published an article in September 2020 about the security of their development practices and environment; how do you think they would have answered a questionnaire. Their published security statement suggests they would have told you all the things you would want to hear. They would not have told you their controls were strong out of deceit but because they truly believed they were; you would have to. To paraphrase: everyone thinks they’re secure until they get punched in the mouth by Russian National Intelligence.

Most information security professionals have roles that are not in the national intelligence space. Security professionals that safeguard a nation’s security have a hard job and need to think about far more unlikely scenarios. For the rest of us, we need to focus on pragmatic security that appropriately manages the most likely risk events. Our controls should be commensurate with that.