Supply chain attacks: what we know about the SolarWinds ‘Sunburst’ exploit, and why it still matters

The word ‘unprecedented’ has been used a lot over the past year, and with good reason given the huge impact of COVID-19 on societies and businesses around the world.  Alongside the global pandemic, there was the volatile and bitter U.S. election and Britain’s departure from the EU:  and to add to the disruption, 2020 also saw the discovery of a cyberattack that was truly unprecedented in its sophistication and scale.

On December 8 2020, the cybersecurity company FireEye revealed to the press that they’d been breached by an APT (advanced persistent threat) group and had some of their ‘white hat’ cyber assessment tools stolen. In the following days, Microsoft, SolarWinds and even the US government revealed that they’d all experienced breaches that were traced back to a hack on SolarWinds’ core IT management software. The APT group had added a backdoor known as ‘Sunburst’ to the SolarWinds Orion system which was then distributed to SolarWinds customers globally, hidden in what appeared to be a routine software update. This backdoor gave the APT group access to thousands of SolarWinds customers’ networks, enabling them to explore those networks under the security radars of the organizations’ security teams.

Cooperating fully, SolarWinds shared documents revealing that more than 18,000 customer organisations had downloaded the compromised Orion software update, including hundreds of Fortune 500 companies. However, while the hack itself impacted thousands of companies across the US, Europe, Asia and the Middle East, the threat actors involved seemed focused on targeting leading technology companies, government agencies and consultancy firms. Those targeted victims included several US departments of state, from Homeland Security to the U.S. Treasury, and more than 100 private companies including Intel, Cisco, Microsoft and Belkin.

Reports also recently emerged that the ATP group responsible involved Russian hackers who launched their attack from within U.S. borders in order to cover their tracks and complicate efforts to investigate their activities. In a press conference, more than 2 months after the incident, the U.S. deputy national security advisor said that investigators were still in the “beginning stages” of understanding the scope and scale of the attack. Microsoft president, Brad Smith, also spoke out, calling the hack the “largest and most sophisticated cyberattack ever.”

Understanding the attack

So how was the attack constructed and executed by the threat actors? What we currently know shows that it involved top-tier cyber-capabilities and must have been months, if not years, in the making. How SolarWinds’ networks were first breached is still being investigated, but one prevailing theory is that the initial phase involved hacking the company’s Office 365 accounts. This enabled the threat actors to gain access to SolarWinds’ internal network, then move laterally to the cloud to steal sensitive files and credentials. They could then forge a token for a highly privileged account in the Azure Active Directory and gain admin privileges using those stolen credentials.

What makes the SolarWinds hack particularly dangerous is that it leveraged cloud-based services to orchestrate a supply-chain attack. Because access to those services was obtained via authentication systems based on already-compromised networks, the attackers were able to breach companies’ defences without raising any alarms. The current trend toward cloud migration and digital transformation sees countless businesses adopting a hybrid approach that combines cloud-based and on-premise networks. The SolarWinds hack is designed to exploit this hybrid vector perfectly, meaning that a huge number of businesses globally are potentially vulnerable.  Check Point first predicted these types of multi-vector, fast-moving, large-scale Gen V attacks two years ago, and they are hitting organizations globally more frequently than ever before.

Building stronger security links

Supply-chain attacks such as the SolarWinds exploit show just how insidious and damaging these ‘unknown unknown’ threats can be, where no-one is aware of the flaw apart from the attackers who are exploiting it.  To prevent future attacks, organizations need to ensure that they employ the basic core security practices of endpoint protection, email security, least-privilege access and network segmentation across their infrastructure, to make it harder for adversaries to infiltrate networks and move laterally within the organization to access critical assets.

Organizations also need to deploy defense-in-depth, ensuring that multiple protections operate in harmony to identify and prevent different attack vectors in real-time, such as blocking command and control traffic as well as exploits of vulnerable elements.  It’s critical that organizations have holistic visibility and automated protections in place across their entire environment, including their on-premise networks, SDN and public cloud deployments, because the old cliché still apples:  a chain is only as strong as its weakest link.  If organizations cannot identify when a weak link is being targeted, then they risk falling victim to an attack.

Find out more about the Sunburst attack and the threat of similar supply-chain attacks in Check Point’s new 2021 Security Report.