Last week a serious cybersecurity breach concerning SolarWinds’ Orion network- and remote-monitoring platform was revealed. Orion has been implemented by a great many organizations, including the White House, the Pentagon, the U.S Department of energy and many other government agencies and technology companies.
This cyberattack was particularly clever, in that the perpetrators designed the malware to look like Orion software files with a signed certificate. When the user deployed what he or she thought was a legitimate update, the malware was distributed. The traffic looked exactly like Orion traffic, so there were no red flags; consequently, it was easy to overlook the breach, which is why it was so widely distributed. Learn more about how this breach can impact public safety agencies by registering for MCP's cyber briefing today at 1 p.m. Eastern.From a cybersecurity perspective, this sort of attack is highly sophisticated. It is classified as a Trojan backdoor—in short, the cyberattackers injected infected code masked as a legitimate software file into the Orion packages. That code then propagated via routine software updates that, from all appearances, looked to be legitimate.
The Department of Homeland Security’ Cybersecurity Infrastructure and Security Agency (CISA)—which is responsible for the nation’s cybersecurity—is working to determine the extent of the damage, and it likely will be weeks, even months before it completes its investigation. But some aspects already are known, as follows:
- The malware may have been present in some networks for most of the past year.
- Once in place, the malware enables cyberattackers to move laterally through an organization’s network in search of vulnerabilities; when they are found, additional malware could be unleashed.
- The cyberattackers who breached the Orion platform also accessed and stole tools used by the “red team” employed by cybersecurity solutions provide FireEye. A red team mimics an attack to reveal weaknesses in an organization’s cybersecurity posture and to demonstrate how such attacks can be mitigated. Cyberattackers possessing the FireEye red-team tools at best could use the knowledge to better understand the red team’s tactics and, at worst could use the knowledge to turn the tables
There are a few suggestions that we’d like to make to our clients in response to all of this, as follows:
- Err on the side of caution and presume that, if your organization employs the Orion platform, that your network environment has been breached.
- Further assume that the breach within your network environment is far-reaching.
- Isolate all systems running the Orion platform and its components and implement all patches recommended by SolarWinds.
- Ensure that you have installed up-to-date antimalware software to include the countermeasures and detection signatures indicated by FireEye and Microsoft
- Perform a thorough, independent assessment of your networks and systems to identify vulnerabilities and run tools that can detect malware that may be present—some of which the cyberattackers may be planning to execute at a later date.
Regarding the last bullet point, Mission Critical Partners’ NetInform™ solution is designed to deliver a comprehensive assessment of an organization’s network and information technology environment to uncover areas of risk. We would welcome the opportunity to limit the impact of the SolarWinds breach on your critical infrastructure via this service—please reach out.
Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at MikeBeagles@MissionCriticalPartners.com.