The SolarWinds Hack

Post by Mel Hughes

Writing in Forbes on Mon 04-Jan-2021, Thomas Brewster suggests:

“The [SolarWinds] attacks show that the hackers were able to find a glaring loophole affecting both private and public sectors, and they had access to potentially exploit a huge number of companies and government departments.  But they also indicate that, whoever the attackers were, they only chose to steal data from a selection of thousands of victims, even where they had the chance to steal data from some of the world’s biggest businesses.”

SolarWinds has commented that the number of customers who might be affected by the attacks could be as high as 18,000.  Other publications are parroting US Secretary of State Mike Pompeo by announcing that the perpetrator was “Russia”.  Apart from the fact that “Russia” and “Russians” are nebulous entities, experience over the past ten years has taught cybersecurity professionals that it is common for the identity of attackers to be masked, making it quite possible for the attackers to be the Chinese Communist Party, the Iranian government, or any one of a number of foreign threat actors – possibly even internal threat actors.  What we do know for certain is that – due to the fact the compromise went undetected for at least five (5) months –  data within these networks, user IDs, passwords, financial records, source code, and much more, can be presumed now to be in the hands of threat actors, foreign or domestic.  Concurrently, normal hacker protocol would see viruses, logic bombs, worms, and any form of malware deposited for future release.

Following is a selection of the major US agencies and firms which were reportedly breached:

·         Department of State: which was – purportedly – first hacked by Russian threat actors in 2014

·         Department of Homeland Security: which – via the Cybersecurity & Infrastructure Security Agency – oversaw the supposedly secure Nov-2020 US Presidential election

·         National Institutes of Health: hosted by the Department of Health & Human Services, where reports had emerged during Summer 2020 that the SVR RF, the Foreign Intelligence Service of the Russian Federation, had targeted COVID-19 vaccine research

·         The Pentagon: parts of the  Department of Defense HQ were breached

·         Department of Energy: which includes the National Nuclear Security Administration, suffered a breach which was claimed to be: “..isolated to business networks only”; DoE advise the breach did not impact national security functions of the Department, including management of nuclear weapons stockpile

·         Department of the Treasury: among the first confirmed breaches of the federal government, wherein hackers were reportedly spying on internal emails, the extent of which was unknown as of Mon 04-Jan-2021

·         Department of Commerce: similar reports to the Treasury

·         State and local governments:  Bloomberg reports that at least three (3) – as yet un-named – State governments were attacked; as a side note, The Intercept reported that the network of the city of Austin, Texas was breached

·         Microsoft: who, as of Thu 30-Jan-2020, advised that it has been in touch with 40 customers who were breached and their data potentially exposed.  Most customers were based in the US but others were based across the world, from Mexico to the UK

As reported by Forbes on 06-Jan-2021, whilst there’s plenty of anxiety around the sensitivity of the data already stolen from victims’ networks, there’s even greater concern about any compromise of the critical infrastructure industry, to which GE is one of the biggest service providers in world.  In late Dec-2020, Rob Lee, founder of Dragos Security (protecting industrial control and critical infrastructure networks) made the crucial observation that: “In the world of industrial infrastructure our most sensitive networks… are often connected to many integrators, vendors and others for maintenance and support.  Some of those vendors were using SolarWinds with or without the industrial company’s knowledge”.  Lee went on to suggest that: “..numerous customers .. have .. claimed to not have SolarWinds [only] to find out over the next few days that they did, and the compromised version was present in their environment”.

Over the past fifteen (15) years, Alcea Technologies Inc. developed competitively priced, user-friendly risk assessment, risk mitigation, risk management, standards compliance, and governance software for most Industry verticals and lines of business horizontals.  Our most recent endeavors have seen Alcea develop software variants which address IT Security, Cybersecurity, and Cyber Supply Chain risk, all of which are critical to the management of situations such as the SolarWinds breaches.  Please contact us to find out how we can assist you to prepare for such cybersecurity breaches, while planning to mitigate against future attacks.