A months-long hacking campaign believed to be made by a foreign government to infiltrate several U.S. government agencies proved to be one of the most sophisticated attacks the world has seen, but how did this happen?
In December 2020, security firm FireEye and Microsoft announced that as many as 18,000 organizations, including the U.S. Treasury Department and the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), had been hacked. These organizations were compromised with Sunburst (also known as Solorigate) malware through SolarWind’s Orion network management software. The attack took months, starting with small tests such as integrating minor changes in SolarWind’s code and taking advantage of the trust SolarWinds had with its customers via software updates. This, combined with loopholes in the supply chain, easy access through SSO’s, and overtaking MFA systems allowed attackers to methodically implant malware without setting off alarms.
Cybersecurity professionals were left in the dark as this unfolded. Looking at how this could have been prevented, three distinct vulnerabilities stand out.
Leveraging the supply chain
Attackers gained access to the SolarWinds development process and injected malware, gaining access to the core network and the ability to launch multiple attacks. When SolarWinds customers received notifications of a software update sent by the company, they trusted it, which then allowed attackers to gain access to thousands of systems. As soon as the infected software was launched, a Command and Control (C2) channel was quickly established and became the launch pad for more attacks.
Early on, FireEye discovered suspicious activity within their own network following the “SolarWinds” update, sparking an internal investigation and mitigation effort to identify multiple points of compromise.
Taking advantage of single sign-on systems
Several organizations that were compromised used a single sign-on system (SSO) as their main form of protection for company resources. These systems allow organizations to protect many systems with one username and password. Microsoft sums up nicely:
“Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate.”
“Anomalous logins using the SAML tokens can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate.”
This exposure (often referred to as “Golden SAML”) demonstrates the balance cybersecurity professionals must weigh between security and convenience. SSO systems make users’ lives easier by not forcing them to authenticate to the systems “behind” the SSO front door. Still, they move away from Zero Trust, a principle coined by Forrester and being adopted by organizations globally.
Exposing traditional multifactor authentication systems
Discovered around the same time as the SolarWinds attack, FireEye noticed that hackers gained access to the organization’s email servers with a username and password and they had bypassed the multifactor authentication (MFA) system.
FireEye shouldn’t have relied on just the MFA system to protect their email servers, but rather required proof of the user with biometrics.
Hope is not a strategy
As proved by these three key vulnerabilities, the organizations involved in the SolarWinds attack now know that hope is not a good strategy for security. Hope that no one outside of the business knows the username and password to the email server, hope that employees will notice the difference between a legitimate software update and a malware attempt, and hope that technology will know the difference between the white hats and black hats.
If attackers had to prove their identity via identity-based authentication before modifying code or accessing sensitive information, they wouldn’t have gotten very far. In the case of the SolarWinds attack, the reliance on traditional MFA, token-based secrets, and SSO systems meant that their security teams were simply hoping that they wouldn’t be exploited.
Having cryptographic and biometric controls in place will set up a proper strategy to mitigate this kind of attack in the future. Until then, organizations who fail to ramp up their security will inevitably face more attacks like this one.