The SolarWinds Hack: What Happens Now
The SolarWinds security breach was massive. More than 18,000 companies and government agencies were infected with a Trojan horse that installed a digitally signed backdoor into their network.
While investigating their own hack, cybersecurity company FireEye discovered a single line of code in a SolarWinds update that was "trojanizing SolarWinds Orion business software updates". That was December 13, 2020. FireEye estimates hackers first gained access in March 2020. For nearly eight months, malicious actors carted away untold amounts of sensitive data from infected organizations — and the full scope of the breach is still unfolding.
Despite Microsoft seizing the code's command and control server (a common element in botnet attacks as well), some security experts think the attackers may still have access to the SolarWinds Orion software framework. Others are speculating that these hackers left behind additional, yet-to-be-seen malicious code.
By scale and impact, the SolarWinds may go down as one of the biggest data breaches in history. Its effects will be long-lasting and the affected companies are still trying to figure out what happened — and how to fix it. But first, let's dive into how exactly the attack worked.
How the SolarWinds Attack Worked
The SolarWinds attack was a supply chain attack, which is also known as a third-party attack. Rather than attack thousands of companies, hackers targeted the IT management software that hundreds of thousands of companies used. In Spring 2020, those 18,000 organizations received an update that contained that piece of malicious code.
Here's a full explanation of the SolarWinds hack from CBT Nuggets trainer Keith Barker:
As Keith explains, the SolarWinds breach was a supply chain attack, which isn't a new type of threat. Security vulnerabilities in third-party vendors were likely responsible for the 2018 Equifax breach and 2014 Target breach. And recently the DoD implemented the Cybersecurity Maturity Model Certification (CMMC) to protect against attacks of this nature.
To explain what companies are probably doing to clean up after this attack and detect new attacks, CBT Nuggets trainer and security expert Bob Salmans describes the stages of a classic APT attack.
6 Stages of APT Attacks (and How to Detect Them)
Advanced Persistent Threats (APTs) are like evil cyber ninjas. They are highly skilled, well-funded groups of hackers who are hired — either by groups or even countries — to steal data. This data could be defense industry-related data such as missile defense systems and the next super-elite fighter jet, medical breakthrough data such as a vaccine for COVID-19, or even the Colonel's secret recipe.
The key with APTs is that they are well funded, so they have the resources to hire the best people and afford the best tools. I liken them to evil cyber ninjas not only because of their skill level but also that they are quiet and cunning. They often go unnoticed for months or even years within a compromised environment — like what happened here in the SolarWinds attacks.
While APTs may be swift, talented, and very dangerous, they also often follow a similar pattern of attack, which helps organizations detect their entry and movements.
Stage 1: Target identification
The APTs sponsor will identify what type of data they want to obtain. At that point, it's up to the APT to determine which organizations may have this data, at which point they now have a list of targets. Of course, the APT sponsor may also provide a list of targets; it merely depends on the situation.
How to Detect Target Identification: If your organization has been targeted by an APT, one way to find this out might be to watch for domain names being purchased that are relatively close to your company's domain name. For example, if your company's domain name is widgets.com, a domain very close to that is wigets.com or widget.com. APTs will use these fraudulent domain names in phishing attacks. You can detect the registration of these fraudulent domains by subscribing to a domain fraud monitoring service that would alert you when domains that appear to be very close to yours are registered. At that point, you could block those domains in your email and web filtering solutions to help protect your organization from attacks where those domain names are used.
Stage 2: Initial access
Initial access is where the APT group will perform reconnaissance on their targets and work to gain an initial entry point, often by delivering malware through a phishing email. Of course, there are other ways to gain entry, but phishing has such a high success rate (compared to other options) that it's merely the path of least resistance.
How to Detect Initial Access: The best defense for stage two is security awareness and phishing training. End-users need to be able to identify a phishing email. Yes, APTs can create amazingly cunning phishing emails, but that's not an excuse to not provide appropriate security training. I'd also highly recommend performing phishing campaigns to test your internal staff and make sure they can spot phishing emails. Secondly, I'd highly recommend deploying an Endpoint Detection and Response (EDR) solution on computers. EDR's are like next-generation anti-virus and can help detect advanced malware by analyzing what they are doing once installed on a system.
Stage 3: Persistence
Once an APT has gained initial access, it's time to set up a permanent connection or foothold into the environment, and this is called persistence. Persistence gives the attackers an at-will connection into the environment, much like their own special door.
How to Detect Persistence: There are a couple of things you can do to detect persistence within an environment. One is to use a whitelisting approach to egress filtering on your network (filtering of outbound network traffic). When we use a whitelisting method, we block all outbound traffic flow and only permit what's necessary. This will restrict an attacker's ability to set up persistence and exfiltrate data. Notice I said it would restrict, not prevent an attacker's efforts. The next thing you'll want to implement is network threat hunting. Threat hunting is the process of capturing and analyzing network data looking for abnormal behaviors. Threat hunting can help us identify Command and Control (C2) activities used to coordinate persistent connections.
Stage 4: Exploration
During the exploration phase, the attackers will move laterally throughout the environment setting up additional backdoors and looking for the data they are hunting for. At this point, the attackers work to gain administrative-level access in the environment so they can move around more freely and identify who has access to the sensitive data they're looking for. Once the data of interest has been identified, they must work to gain access to that data by impersonating users or changing permissions. Changing permissions is probably the last resort as it could set off alarms, whereas user impersonation is something that would help the APT to maintain it's covertness.
How to Detect Exploration: As attackers move throughout the network looking for target data, we can use standard log analysis to help identify any changes they might make in an environment. These could be things like opening up firewall ports on a host, creating user accounts, changing group membership, user impersonation through the use of tokens, and many other telltale signs of an attacker being present. A Security Information and Event Management (SIEM) system can provide this type of log analysis and provide reporting and alerting to these events.
Stage 5: Exfiltration
Once all the target data has been identified, it's time to ship a copy of that data off to a destination of the APTs choosing. APTs most likely aren't going to simply copy a terabyte of data to a file server on the web somewhere because that may trigger an alarm, and they might be caught. The APT is going to use some type of encrypted covert data transmission channel to hide data transmission that's occurring. By using encrypted sessions to send the data out, APTs can avoid Data Loss Prevention (DLP) tools that identify and stop certain types of data from leaving an environment.
How to Detect Exfiltration: During the data exfiltration stage, we go back to our friend network threat hunting. Threat hunting can help alert us to abnormal amounts of data being sent out of our environments and help clue us into abnormal amounts of data over protocols that typically send very little data such as Domain Name Services (DNS). As part of threat hunting, we will want to analyze domain names being communicated with over the network. Attackers often use randomly generated domain names within their command and control setups. These stick out like a sore thumb when comparing domain name traffic within an organization.
Stage 6: Cleanup
Once the data has been successfully exfiltrated, the APT will clean up their tracks, which consists of deleting log data, any files that may have been copied onto the network (like a toolbox), and any other traces that they were ever there.
How to Detect Cleanup: During the cleanup stage, the SIEM we spoke of in stage 4 should notify us when system logs are erased, but by that time, well, it's a bit late to take any action to stop the attackers. It's time to start incident response procedures.
Will You Be Targeted by an APT Attack?
The SolarWinds attack shows that you don't have to be the primary target to be infiltrated. In many cases, the APT is only going to target organizations with the data they want, but supply chain attacks are buckshot rather than a laser beam. The attacker may never act on their access to your system, but that doesn't mean you haven't been infiltrated.
The key takeaway from this scenario: APTs use anyone they can to gain access to their target. So, yes, you may be at risk of being targeted by an APT — either directly or indirectly.
How to Prepare for an APT Attack Like SolarWinds
The best thing a small business can do to protect themselves from an APT is to hire a managed security provider to provide the necessary security services to you. These vendors can offer you SIEM software and threat hunting services — among many other benefits.
The key here is that you are paying for their team's experience and security expertise. For what you're spending on this vendor, you can't hire a person with the same experience and capabilities. Not to mention with their services, they cover the licensing costs for the products that you would have to pay for if you tried to perform these security services yourself.
I used to say the best preparation for an attack is end-user security training — and I'm still a massive advocate for it — but threat hunting is the best bang for the buck when it comes to hackers like the ones involved with the SolarWinds attack.
The SolarWinds attackers were moving around these environments looking for their target data. Once they're in your systems, you need to concentrate on detecting them, and that's where threat hunting shines.
Even though the SolarWinds attack was successful, these methods are good practices to prevent additional breaches. After all, there are still plenty of threat actors out there, looking for a weakness in your system.