Before this week you could be forgiven for not having heard of SolarWinds, the network performance and systems monitoring software vendor that will now be known for the biggest espionage hack on record and another example of a) why you can’t trust your supply chain and b) why we need to raise the bar on vendor security.
SolarWinds, slightly ironically, helps organisations to identify and solve critical networking problems and boasts that it makes ‘patch management a breeze’. However malicious code was put in a software update to its network monitoring tool Orion, distributed in and after March this year. Anyone who installed the Orion patch around that time, planted a backdoor trojan known as Sunburst.
Writing in the FT, Robert Hannigan, chairman of BlueVoyant International and a former director of GCHQ says the attack may turn out to be the most serious nation-state espionage campaign in history.
Details of the attack were first revealed on 13 December by security firm FireEye, which disclosed at the start of December that it had been breached by “a nation state adversary.”
If you are looking for a really good description of precisely how the attack works, check out this article from the Symantec threat hunter team
Once installed the malware phones home to enable the hackers – a group who appear to be associated with nation state hacking group Cozy Bear – to take further action.
Much like the nation state NotPetya attack that took down DLA Piper for a few days back in 2017, supply chain attacks are designed to attack indiscriminately and at scale, and the full impact of the SolarWinds hack is still unknown, with Microsoft and VMware among those to confirm their systems have been breached. The Verge reports that the US Treasury, Commerce, State, Energy, and Homeland Security departments have been affected, and the Wall Street Journal reports that Cisco, Intel, Nvidia and Belkin have all had computers on their network infected with the malware. The estimate of how many organisations are affected in total runs into many, many thousands, most of which are just collateral damage.
In a slightly ironic twist, it was DLA Piper that advised SolarWinds on its float on the New York Stock exchange a couple of years ago, although there is no suggestion that the firm has been affected by this latest attack.
For the legal sector, the SolarWinds hack spews up multiple issues and challenges for law firms and vendors. For starters, many law firms are heavily invested in SolarWinds, which is now faced with a raft of litigation and an uncertain future.
We have been here before: the trojan masqueraded as privileged traffic that looks normal to network monitoring, and, speaking to Legal IT Insider, one CIO at a top US law firm said: “If you had controls in place the activation will not be executed. Just like ransomware, it’s spun out and they wait for it to communicate. Once activated it can grab and send files, move to other control points and give actors another footprint to execute the commands that are available to this trojan.”
In that firm, it was Crowdstrike that detected the malware, and the CIO adds: “There’s been enough information from DLA, Seyfarth and others – you have to focus on making sure that the type of behaviour that looks normal is detected and prevented.”
The CIO added: “If wasn’t for that, we would have to go back to March and see if it had called home.”
Crowdstrike, fyi, is a SaaS solution that offers prevention against malware and also advanced targeted attacks that do not use malware. It uses machine learning for pre-execution prevention, analysing millions of file characteristics to decide if they are malicious and enabling it to block known and unknown threats.
Legal services organisations and vendors alike are already receiving nervous questions over whether they have been exposed to SolarWinds. But after the dust settles, there are some bigger questions to ask, and what’s needed now is a) a call to action to vendors with privileged access to core systems to care about security as much as they care about their core product and b) law firms to ensure that they have the expertise required to properly audit their supply chain.
Speaking to Legal IT Insider, Prosperoware founder Keith Lipman said: “We care so much about security that we have embraced ISO 27001 and SOC 2: it’s not cheap to do but the certifications are all about putting in place the right security controls and processes. It’s a process maturity around how you and your organisation get audited, and the audit is done by accountants.” He adds: “The SolarWinds attack is the clearest demonstration that you should invest heavily in security and add further resources.”
Hannigan says in the FT: “Each time these intrusions are uncovered inside the supply chain of governments and companies we routinely describe them as “extremely sophisticated”, indicating “nation state capability”. This covers our collective embarrassment and implies that there is nothing we can do to prevent them. But it is simply not the case. The truth is that, however expert these malign cyber actors may be, they are exploiting weaknesses which we continue to tolerate.”
He adds: “The way that the malware hides, propagates and communicates may be technically dazzling. But more often than not these attacks are delivered in the first place by exploiting very basic security lapses.” After NotPetya, an investigation found that the Ukrainian software company had not patched its servers for several years. Cloud Hopper gained access through spear-phishing. Hannigan says: “Internal controls allowed attackers to move around and linger. We do not yet know how SolarWinds was compromised, but there is a reasonable chance that it will turn out to be through a well-known vulnerability.”
Many law firms, if they are honest, are still unable to audit their supply chain to the extent that is needed. The onus is on everyone to up their game. 2020 is the year that keeps on giving but shaving costs on security could end up being a far more expensive exercise.
Prevalent has created a helpful set of questions for you to ask your vendors regarding their response to this breach. Check it out on their blog.
If you’re not already SolarWinded out, you might want to check these out:
This blog by Microsoft’s president Brad Smith, calling for a strong global cybersecurity response, is worth a read
Wired normally rounds up the biggest cybersecurity stories at the end of the year but this year says there is just one: how Russia pulled off the biggest espionage hack on record, see here.