By Connor Walsh, CISSP
The power of network visibility has no limit – it provides organizations the ability to see, detect, analyze, monitor, proactively fix and troubleshoot network issues with ease. Without this capability, administrating the vast web of networks we see today would be near impossible. Many companies developed products to achieve the goal of providing this control to network administrators, but none were able to outduel Solarwinds Inc., whose suite of products is used by hundreds of thousands of international corporations. So, what do you get when you have a consistent market-leader in network management software, offering tools that provide administrators ultimate power over their networks? A disastrous Solarwinds Sunburst.
Although Sunburst (or Solorigate) was discovered in December of 2020, the suspected Russian advanced persistent threat (APT) dubbed “Cozy Bear” behind the hack had been at work for over a year. In September of 2019, the attackers accessed Solarwinds and began developing/injecting/testing the code over the course of six months before distributing to Solarwinds’ customers in the form of a “back-doored” legitimate Solarwinds .dll file to their Orion platform. After customers unknowingly downloaded and installed the update, the code remained dormant for up to two weeks, before executing commands that profiled the host system and masqueraded its network traffic so it could move laterally to other systems in the network. From deployment to detection, the hackers potentially had a total of seven months of access to the infiltrated organization’s data, which was retrieved/sent back to their third-party servers.
Solarwinds has a total of 18,000 customers that use the affected Orion software, and many of those had downloaded the compromised .dll file. The full impact is not yet entirely known, but at the time of drafting this article a number of organizations have reported that they were affected. The list is scary: The U.S. Department of Homeland Security (DHS), National Institutes of Health (NIH), state and treasury departments, Microsoft, Cisco and Intel. One of the most alarming companies hacked is Fireye, a cybersecurity firm that has some of the best cyber-defenses in the world. The outcome of what data the hackers accessed from all these companies could easily lead to catastrophic consequences for our country.
Many of the medical devices that we manage in our environment use both Microsoft OS and Intel processors, running Cisco as our networking backbones. We should continue to pay attention to the growing list of companies that confirm they were impacted by this exploit. After the organizations finish analyzing their log data, we must keep a close watch on the final debriefs, so we can be prepared and educated to act on the medical devices on our networks. If, for example, this APT was able to steal information from Microsoft’s source code, we should be preparing for a critical, out of cycle, OS patch release in the coming months.
It’s hard to imagine that one group of individuals could cause so much harm to not only our medical devices, but also our nation. It is also another reminder that cyber warfare is going to continue to dominate headlines for the foreseeable future and we, as HTM professionals, must use due diligence and due care when deploying anything on our networks. Continue to keep an eye on the impacts of this exploit, from debriefs to company statements, as it truly affects all of us.
References
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://www.abc.net.au/news/2020-12-30/sunburst-cyber-hack-solarwinds-software-cybersecurity-expert/13021104
https://www.zdnet.com/article/partial-lists-of-organizations-infected-with-sunburst-malware-released-online/
https://www.washingtonpost.com/national-security/dhs-is-third-federal-agency-hacked-in-major-russian-cyberespionage-campaign/2020/12/14/41f8fc98-3e3c-11eb-8bc0-ae155bee4aff_story.html
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
Connor Walsh, CISSP, is a supervisory clinical engineer for the VA Boston Healthcare System.
The views expressed here are those of the author and do not necessarily represent or reflect the views of TechNation or MD Publishing.