The SolarWinds Saga Continues: Microsoft Estimates 1000 Developers Rewrote Code for the Attack
By Randy Becker, CISO & VP, Network and Security Consulting
SolarWinds, Solorigate, Sunburst, Teardrop, Sunspot, Raindrop… will it ever end? (Check out Microsoft’s deep dive for a comprehensive summary.) The breach was even the lead story on 60-Minutes with Microsoft President Brad Smith and FireEye CEO Kevin Mandia interviewed.
In particular, Brad Smith gave some eye-opening statements communicating the sheer scale of the breach:
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”
Smith also said Microsoft hired 500 engineers to dig into the attack. They estimate over 1,000 engineers/developers/“hackers” worked on this attack. Where do you find 1,000 hackers!? 4000 plus lines of code were added to the application without detection. The methods used to pull this off were ingenious.
He also said the supply chain attack “exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.”
Does our current cybersecurity strategy need to change? Are we doing enough to protect our critical infrastructure? What is next? Is there anything we can do?
FireEye was the first company to detect this supply chain attack after the breach and their intellectual property was stolen for performing red team penetration testing—the information was first shared on 12/8/2020.
This will not be the last of these types of attacks and a lot of the recommendations made to secure and harden an environment that uses SolarWinds can apply to organizations that use any type of monitoring and management tools. SolarWinds Orion was strategically chosen because of the type of application it is, the type of access it has to critical systems on the network, and its large customer footprint. The same thing could happen to any application of this nature.
CISA continues to update through Alert AA20-352A https://us-cert.cisa.gov/ncas/alerts/aa20-352a, which was last revised on 2/8/2021. Any IT or security professional should thoroughly review the Alert, especially the Mitigations section; it provides lots of recommendations that anyone can implement to further harden and protect their environment. Being able to see exactly what is being exploited gives you an opportunity to be proactive.
Here is another great (detailed!) blog from Microsoft that provides guidance for incident responders on recovery from systemic identity compromises. It also includes IOCs on how to harden your infrastructure and begin to recover from this attack, along with lessons learned from incident response for on-premises and cloud environments.
As always, if you have any questions or need help securing your business, please reach out to your GreenPages Account Executive or contact us.
