SolarWinds – What Do We Know and What Can We Learn From It?

How Was the Compromise Detected?

In late 2020, FireEye, a company focused on cybersecurity and internationally involved in helping companies post cyber incident, detected some unusual activity on the FireEye network. FireEye detected it was hacked after the attackers tried to register a device to FireEye’s multi-factor authentication system using stolen credentials. The system then notified the employee, whose credentials were stolen, and alerted the FireEye security team of this new device. This notice triggered an internal investigation to learn who was trying to register this device. FireEye performed in-depth code analysis and determined that the intrusion originated with a SolarWinds product called Orion. Some analysts believe that attacking FireEye was a mistake by the attackers since it sped up detection of the SolarWinds hack.

How Long Were the Attackers in the SolarWinds Environment?

As of now, the assumption is that the SolarWinds environment got compromised in September 2019. After the initial intrusion (and we still do not know how that compromise occurred), the attackers injected test code to see whether network monitoring would pick up the intrusion. When no alerts were set off, the attackers moved to the real exploit code in early 2020 around February / March. No detection of the incident occurred until December 2020.

Why Is the SolarWinds Attack So Unusual?

While hacks of IT companies are an everyday occurrence, what makes the SolarWinds attack so unusual is one company’s (SolarWinds’) incident was used to exploit many other companies. Without going into too much technical detail, the attackers used their access to the SolarWinds environment to compromise a SolarWinds application in a manner that allows this incident to spread among SolarWinds customers.

By altering the code that SolarWinds pushed out as new updates to clients, the attackers gained footholds in the environment of SolarWinds clients who were using the Orion platform and had downloaded the updates that contained the malicious code and opened a back door for the attackers to access these environments. Between February and May 2020, the malicious updates were downloaded by SolarWinds customers. The truly pernicious nature of this attack was the hiding of the malicious code in the supply chain.

Like most users know from their IT support, you must make sure your computer has the latest updates. When IT consultants give security awareness seminars, one of the lessons they stress is to apply updates in a timely manner as one of the best defenses against hackers. Only in this case, dutifully applying these updates made the client environments vulnerable. The SolarWinds attack is one of the first supply chain hacks we have seen, and it exposed the weaknesses of the supply chain for many companies, including those in Fortune 500. The trust in companies such as SolarWinds to supply clean and functioning updates as part of the supply chain allowed these updates to be applied without checking them for malicious code, something that would be done if a user received a suspicious email with an unexpected attachment.

What Happened: An Attack in Carefully Planned Stages

By early June 2020, the attackers removed the malware from the SolarWinds environment since they now had back doors in a number of high profile companies and government agencies. The attack then started its second stage. The malware in the SolarWinds client environment had been deployed for several months and was calling home with information about the environment. This “calling home” process was important because it allowed the attackers to find out about possible targets in the client environment, their defenses and any tools or processes that can be used by the attackers to assist with the attack. The attackers used this information to customize the next step of the attacks by using commands and tools that set them up for maximum success. The custom nature of these next steps also invalidated some of the common defenses, such as signatures for malicious files and executables or indicators of compromise based on specific files accessed or contacting certain external computer resources.

Now What? How Will This Impact My Legal Practice?

This incident has implications not only for information technology professionals, but also for practicing lawyers. Lawyers may be advising clients on how to respond to these types of issues. They should also check that they have reasonable security measures for protecting their clients’ information.

It is unlikely that the type of sophisticated scheme used to compromise the SolarWinds environment will be leveraged to attack law firm environments because these types of attacks are very labor intensive and cannot be pulled off by just anyone. But organizations can still learn from and improve their cybersecurity posture even if an organization is not a prime target for this type of incident.

Law firms and other organizations should take steps to mitigate the risk associated with cyberattacks that target third-party software providers, such as SolarWinds. Some steps to consider include the following:

Due diligence. Perform due diligence prior to engaging third-party software providers and during the engagement. Prioritize those vendors and products that, if compromised, will have the biggest impact on the organization).
Legacy software. Create an inventory of legacy products or those about to be phased into a legacy product. Legacy products can present risks for a number of reasons, including that the vendor no longer supports the products (e.g., tests for vulnerabilities and creates patches) or the software does not leverage security features that are now standard practice (e.g., data is not encrypted at rest).
Patching. For systems other than legacy software, patch according to best practices. The risk of not patching will be higher than patching and suffering a SolarWinds-type incident.
Response plan. Prepare for an incident to occur, include a documented response plan and run table-top exercises to practice responding to a scenario. Look into cyber insurance coverage if you do not have it already or re-assess your coverage under your existing policy. Consider partnering with third parties (e.g., forensic investigator, breach notification services) before an incident so that they are available and ready to assist in the wake of an incident.
Contract terms. Ensure contract terms with the software provider address notification of and response to an incident, including time frames for notice and response based on applicable laws, as well as liability and risk allocation.

March 23, 2021/by Privacy and Data Security