The US federal government was ravaged by a massive cybersecurity incident that sounds like it came straight out of a movie. Suspected Russian nation-state actors were not only able to hack into critical systems at a extensive list of federal agencies, they were able to occupy them for months, conducting a massive espionage operation – and US officials were none the wiser. This tale of a US government hack featuring third party security risk, nation-state hacking, phishing, and cybercrime should serve as a caution for every organization.
Third-Party Vendors Bring Risk
The disentanglement of this cybersecurity catastrophe began with cybersecurity penetration testing and development company heavyweight FireEye, announcing that it had been breached by suspected Russia-backed nation-state hackers. The company announced that hackers had snatched it’s fabled "Red Team tools", used to test and monitor the safety of some of the world’s most critical data. FireEye also noted in a blog post that this was an extremely uncommon type of attack, seemingly specially designed just for that purpose and using technology that had never been seen before.
The next round of revelations would turn those winds into an unearthly tornado. Multiple US federal agencies began discovering that they too had experienced security breaches that could be traced to Russia-backed hackers, likely GRU operatives and cybercriminals from the notorious "Cozy Bear" group. All of these agencies had a common denominator that tied them together: they used security tools created by Austin-based software developer SolarWinds.
Then SolarWinds announced that it too had been breached by suspected Russian nation-state hackers. Bad actors obtained legitimate credentials allowing them to access systems undetected, likely through a variety of phishing. They then slipped snippets of malware code into a routine update to the company’s Orion software, commonly used for monitoring by government agencies, Fortune 500 companies, and other heavyweight organizations with intense security needs.
You see Mundane tasks, but bad actors see opportunity
Patching or updating and maintenance are routine tasks performed by IT teams every day. It’s not really something that gets a great deal of attention – making it the perfect way for these crafty hackers to get inside important organizations without raising suspicion. While patches aren’t automatic and undergo reviews to ensure that functionality is maintained, no one looks twice at the security implications of a patch from a trusted vendor like SolarWinds -and that opens companies up to supply chain risk.
But in a record-breaking year for cybercrime, this one was anything but routine: it was laced with malware that allowed the hackers to open back doors into the systems of those who applied the patch. SolarWinds advised customers as part of an SEC filing that Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware. Of the company’s 300,000 customers worldwide, they estimate that 15,000 have been impacted. CISA has released updated guidance on this issue.
The impact strikes far and wide
That extenstive list includes many major organizations, including multiple US federal government agencies and administrative operations, as well as national defense targets including:
The US Department of Homeland Security
The US Department of State
The National Institutes of Health
The US Department of Commerce
The US Department of the Treasury
As organizations began to assess the damage from the incident, it was noticed that these attacks had been carried out with great subtlety. Bad actors had been quietly exploring email accounts, copying data, reviewing records, and accessing other sensitive information and US federal agencies for months. It’s not yet clear what the full scope of the damage is or how intense the recovery may be.
In addition to US government targets, major entities including non-US government agencies, power companies, manufacturers, and defense contractors are at risk of incursion, or may already have hackers using these techniques floating around inside their systems. The hackers involved made a habit of obtaining legitimate credentials to access systems and data whenever possible and quickly created and deleted files to reduce their digital footprint, making them harder to catch.
The fallout from this mess will reverberate throughout the cybersecurity landscape for many months, if not years, to come. One important takeaway from this incident can help businesses avoid similar pitfalls in the future: it’s time to take the risk of unanticipated disasters from third-party compromise seriously. No company can afford to just hope that their vendors and partners are taking security as seriously as they do.
Get Stronger Locks to Keep Cybercriminals out
The first line of defense for every company is secure identity and access management. The hackers in these incidents were careful to use official credentials whenever possible, most likely gained through password cracking and phishing. Adding a secure identity and access management solution like to your security stack is a must-have.
Passly provides protection against hacking in three essential ways that help keep your systems and data safe.
Multifactor Authentication – Take the bite out of a stolen, phished, or cracked password by requiring a second identifier for that user to gain access to systems and data.
Secure Shared Password Vaults – Keep your company’s most valuable passwords for critical systems and data in a central location with special security protection. Not only does this make it easy for IT teams to get to important passwords quickly in an emergency incident, but it also throws up additional roadblocks between highly privileged credentials and hackers.
Contact Maggard Technology Solutions today to see how we can protect your business. Don’t wait to put simple, affordable, protection in place that keeps cybercriminals out. Password security is a business essential, but it’s also a tremendous tangle of tools, solutions, and conflicting priorities. We make it easy for you to make sure that the right people in your business have access to the right things – and only the right people.