It seems that we hear about a new computer hack taking place almost every day. Some hacking stories make the headlines, and some don’t. Some of the biggest and best-known hacks that took place before the COVID-19 pandemic were those that hit Sony, the British Airways website, and the Marriott Group. During the pandemic, of course, the threat vectors exploded like never before. One of those hacks totally gripped the world: the SolarWinds security breach.
The reason why the SolarWinds hack gained so much attention was the magnitude of it, especially the entities that were responsible for it and all of the entities that were victims. For example, you have the Russians who were primarily blamed for the hack. Then there are the organizations who were gravely impacted by the hack, including Microsoft and some of the largest U.S. federal government agencies, such as the Department of Defense (DoD).
In this series of articles, we will take a closer look at what could be deemed one of the largest security breaches of all time. We’ll start by examining what really happened during the SolarWinds breach.
SolarWinds and its Orion software package
SolarWinds is a large software company that creates and deploys network monitoring tools. These tools are primarily used by larger companies in Corporate America, especially by Managed Service Providers (MSPs) that keep an eye on IT and Network Infrastructures for their clients.
Using SolarWinds tools, any type of anomaly can be detected in the network flow of traffic and corrective action can be taken immediately, often remotely. One such tool manufactured by SolarWinds is known as “Orion.”
SolarWinds breach: A Sophisticated Supply Chain Attack
It is important to note at this point that the SolarWinds hack is different than those we are accustomed to hearing about. Specifically, this is known as a “Supply Chain Attack.” This simply means that rather than breaking into the digital assets of SolarWinds, the hackers targeted third parties—the customers who used the Orion software package. Using this kind of approach, the Cyberattacker was able to breach into the lines of defense of many other private and public entities.
Now the question is: What was the main point of entry for all the havoc that ensued? Well, back in December 2020, many of SolarWinds’ customers that made use of Orion had already deployed two major software updates to the Orion software. But what customers believed were legitimate system patches were actually pieces of nefarious malware, disguised to look like safe downloads from Solar Winds.
Even more bewildering is the fact that the Cyberattackers had gained access to the software development platforms that created these updates going back as far as October 2019. They were able to access them through the gaps and vulnerabilities that were present in the many Microsoft Office 365 applications used daily by SolarWinds employees.
Once the Cyberattackers were inside and were able to stay inside undetected, they determined the best ways in which to cause the maximum amount of damage. They determined that inserting Trojan Horses into these platforms would be the best way to accomplish their goal. In March 2020, the Cyberattackers began inserting their malicious payloads, which would become known as “SUNBURST.”
The Cyberattackers also created various backdoors in these payloads, backdoors that would communicate with the third party servers over which they had control. From there, any Personal Identifiable Information (PII) datasets of employees and customers could be covertly hijacked. Those PII datasets could either be sold on the Dark Web for a rather nice profit or be used to launch subsequent Identity Theft attacks.
As if the breach wasn’t malicious and far-reaching enough, these malicious payloads, backdoors, and Trojan Horses actually appeared to be legitimate modifications to the software patches and upgrades that were ultimately downloaded by the many business and government entities that used the Orion system. Now, the next question is: How could this level of believability be established, and why did it take so long to discover? The answer is that the various types of malicious payloads were inserted into the “SolarWinds.Orion.Core.BusinessLayer.dll,” the Dynamic Link Libraries (DLLs) that were created exclusively for the software patches and upgrades for Orion. These DLLs were signed by Digital Certificates that verified their authenticity but were also covertly tampered with. To make matters worse, the design of the DLLs allowed them to remain dormant for a period of 14 days, so any confidential information could be easily transmitted back to the third-party servers.
What businesses and agencies were impacted by the breach?
Exactly how far reaching was the SolarWinds hack? Over 30,000 businesses and agencies were impacted on a global scale. Even FireEye, one of the largest Cybersecurity firms in the world, was affected by the SolarWinds breach. Other affected entities include the following:
- Department of Homeland Security
- Department of the Treasury
- Department of Commerce
- Department of State
- Department of Energy
- US Nuclear Security Administration
It is quite possible that other businesses and government agencies could have been impacted as well.
This article has provided a detailed look into how the SolarWinds hack actually occurred. This is one breach that will be well known for a long time to come, because of its global reach. But what is even more alarming is that this kind of Cyberattack used conventional threat variants, primarily the Trojan Horse. No new threat variants were created to carry out this Cyber Attack. The SolarWinds hack underscores that all entities, private and public, are at risk of falling victim to a large-scale security breach.
In a future article,, we will do a deeper dive into the timeline of how the SolarWinds hack played out.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He is also studying for his Certificate In Cybersecurity through the ISC2.