SolarWinds Attack: Play by Play and Lessons Learned

The SolarWinds attack was a cyberattack that targeted several government agencies and corporations in the United States in 2020.

January 18, 2023

What Is the SolarWinds Attack? 

The SolarWinds attack was a cyberattack that targeted several government agencies and corporations in the United States in 2020. It was carried out by an advanced persistent threat (APT) group believed to be operating on behalf of the Russian government.

The attack involved the use of a malicious software update for the SolarWinds Orion network management platform, which was widely used by government agencies and large businesses. The update contained a backdoor that allowed the attackers to gain access to the networks of organizations that installed it.

Once inside the networks, the attackers used various tactics to evade detection and maintain access, including the use of custom malware and legitimate system tools. They were able to compromise a number of high-profile targets, including the U.S. Department of Homeland Security, the Department of Energy, and the Department of Commerce.

The SolarWinds attack was discovered in December 2020, but it is believed that the attackers had been operating for several months before that. The attack has been described as one of the most sophisticated and far-reaching cyber attacks in history, and it has had significant consequences for the affected organizations and for cybersecurity more generally.

This is part of a series of articles about supply chain security

In this article:

How Did the SolarWinds Hack Happen? 

The SolarWinds hack happened when the attackers compromised the software update process for the SolarWinds Orion network management platform. The attackers inserted a malicious code into a legitimate update for the software, which was then distributed to SolarWinds customers. When the update was installed on a customer’s system, the malicious code was activated, allowing the attackers to gain access to the system.

It is believed that the attackers targeted SolarWinds specifically because of the wide adoption of its software within government agencies and large businesses. By compromising the software update process, the attackers were able to potentially gain access to the networks of thousands of organizations around the world.

Once they had gained access to a target network, the attackers used a variety of tactics to evade detection and maintain access, including the use of custom malware and legitimate system tools. They were able to compromise a number of high-profile targets.

The SolarWinds attack has been described as one of the most sophisticated and far-reaching cyberattacks in history, and it has had significant consequences for the affected organizations and for cybersecurity more generally.

How Was the Hack Detected and Remedied? 

The SolarWinds hack was detected when cybersecurity firm FireEye discovered that it had been hacked, and that the attackers had used a malicious update for the SolarWinds Orion network management platform as part of the attack. Upon further investigation, it was discovered that the attackers had compromised the software update process for SolarWinds and had inserted a malicious code into a legitimate update, which was then distributed to SolarWinds customers.

Upon discovering the hack, FireEye immediately took steps to contain the attack and prevent further damage. This included working with SolarWinds to identify and remove the malicious code from the software update, and providing guidance to customers on how to secure their networks and mitigate the impact of the attack.

Other organizations and government agencies also took steps to remediate the attack, including by implementing additional security measures, conducting network audits, and working with cybersecurity experts to identify and remove any remaining traces of the attack.

What Were the Damages Caused by the SolarWinds Attack? 

The damages caused by the SolarWinds attack were significant and far-reaching. One of the most significant consequences of the attack was the compromise of a number of high-profile targets, including the U.S. Department of Homeland Security. The attackers were able to gain access to the networks of these organizations and potentially exfiltrate sensitive information.

In addition to the direct consequences for the affected organizations, the SolarWinds attack had wider implications for cybersecurity and information security more generally. The attack was carried out using a sophisticated supply chain attack, in which the attackers were able to compromise a widely-used software update process to gain access to the networks of thousands of organizations around the world. This has raised concerns about the vulnerabilities of supply chain networks and the need for improved cybersecurity measures to protect against such attacks.

The SolarWinds attack has also had significant financial consequences for the affected organizations and for SolarWinds itself. The company’s stock price dropped significantly in the aftermath of the attack, and it has faced significant scrutiny and criticism for its failure to properly secure its software update process. 

The attack has also led to increased spending on cybersecurity measures by affected organizations, as well as reputational damage for those that were compromised. A major part of the damage done by the attack was reported by FireEye, which reported their security Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

It is worth noting that the full extent of the SolarWinds hack may never be fully understood, as the attackers were able to operate undetected for several months before the attack was discovered. As a result, it is possible that some organizations may still be unaware that they were affected by the attack.

Cybersecurity Lessons from the SolarWinds Breach 

Supply Chain Exposures Shouldn’t Be Ignored

The SolarWinds breach is a reminder that supply chain exposures should not be ignored in cybersecurity. Organizations need to be aware of the potential risks associated with using third-party products and services, and take steps to mitigate those risks. This can including:

  • Implementing robust security measures: Organizations should have strong security measures in place to protect against supply chain attacks. This includes implementing strong authentication and access controls, as well as regularly updating and patching systems to fix vulnerabilities.
  • Conducting thorough vendor risk assessments: Organizations should carefully assess the risk posed by their vendors and partners, and implement measures to mitigate any potential risks. This includes conducting thorough background checks and regularly reviewing vendor security practices.
  • Implementing multi-factor authentication: Multi-factor authentication (MFA) requires users to provide multiple pieces of evidence to verify their identity, which can help prevent unauthorized access to systems. Organizations should consider implementing MFA for all users, especially those with access to sensitive data or systems.
  • Ensuring secure software development practices: Organizations should have secure software development practices in place to ensure that the software they produce or use is secure. This includes implementing code reviews, testing, and other quality assurance processes.

Ignoring supply chain exposures can have serious consequences, as the SolarWinds breach demonstrated. It is crucial for organizations to prioritize supply chain security in order to protect themselves and their customers from cyber threats.

Effective Security & Threat Detection Software Is Critical

Effective security and threat detection software is critical for protecting organizations against cyber threats like the SolarWinds breach. The SolarWinds attack was able to go undetected for several months, allowing the attackers to compromise a number of high-profile targets and steal sensitive data. This highlights the importance of having robust security measures in place to detect and respond to potential threats.

There are several ways in which security and threat detection software can help protect organizations against cyber threats:

  • Real-time monitoring: Security and threat detection software can continuously monitor networks and systems for signs of potential threats, alerting administrators to any unusual activity. This can help organizations identify and respond to threats before they can do significant damage.
  • Advanced threat detection capabilities: Many security and threat detection software solutions use artificial intelligence and machine learning algorithms to analyze vast amounts of data and identify potential threats that might not be detected by traditional security measures.
  • Automated response: Some security and threat detection software can automatically respond to potential threats by taking predetermined actions, such as blocking access to a particular system or issuing an alert to administrators. This can help organizations mitigate the impact of potential threats and minimize damage.

By implementing these solutions, organizations can improve their ability to detect and respond to potential threats, helping to minimize the impact of any potential attacks.

The Need For Software Bill of Materials

One of the key lessons from the SolarWinds breach is the need for better supply chain security. By compromising the software update process for the SolarWinds Orion network management platform, the attackers were able to gain access to the networks of thousands of organizations around the world. 

A software bill of materials (SBOM) is a comprehensive list of all the components that make up a particular piece of software, including any third-party libraries or open-source components. An SBOM can help organizations understand the components that make up a piece of software and identify any potential vulnerabilities or supply chain exposures.

There are several benefits to having an SBOM, including:

  • Improved security: By identifying all the components that make up a piece of software, organizations can better understand and mitigate any potential vulnerabilities or supply chain exposures.
  • Improved compliance: An SBOM can help organizations meet regulatory requirements, such as those related to software licensing and procurement.
  • Improved transparency: An SBOM can help organizations understand the components that make up a piece of software and make informed decisions about whether to use it.

Access Controls Can Offer a Strong Defense

One of the key lessons from the SolarWinds breach is the importance of having robust access controls in place to prevent unauthorized access to sensitive data or systems. By compromising the software update process for the SolarWinds Orion network management platform, the attackers were able to gain access to the networks of thousands of organizations around the world. 

Access controls are measures that are put in place to ensure that only authorized individuals or systems are able to access certain resources or data. Strong access controls can help by requiring additional authentication or authorization before allowing access to sensitive data or systems.

There are several types of access controls that organizations can implement to implement a strong defense against cyber threats:

  • User authentication: This involves verifying the identity of users before allowing them access to certain resources or data. This can be done through the use of passwords, security tokens, or biometric authentication methods.
  • Access control lists (ACLs): ACLs are used to specify which users or systems are allowed to access certain resources or data. They can be used to restrict access to sensitive data or systems to only authorized individuals or groups.

Role-based access controls: In this model, access to certain resources or data is based on the role or responsibilities of the user. This allows organizations to more easily manage access to sensitive data or systems.

Need to secure enterprise workloads?
Aqua Cloud Native Application Protection Platform (CNAPP)
Go cloud native with the experts!
Get Demo
Aqua Security stops cloud native attacks across the application lifecycle and is the only company with a $1M Cloud Native Protection Warranty to guarantee it. As the pioneer in cloud native security, Aqua helps customers reduce risk while building the future of their businesses. The Aqua Platform is the industry's most integrated Cloud Native Application Protection Platform (CNAPP), protecting the application lifecycle from code to cloud and back. Founded in 2015, Aqua is headquartered in Boston, MA and Ramat Gan, IL with Fortune 1000 customers in over 40 countries.
Read Aqua Security reviews on G2

Use Cases

Environments

Partners

Resources

About Us

Get in Touch

Products

Get Started
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use | Cookie Settings |  
Accessibility Tools
Normal text size Medium text size Large text size
Normal display Black & White display High contrast display
Stop transitions and animations Underline Links