A year ago Today, security company FireEye has made an announcement that is both surprising and alarming. Sophisticated hackers have stealthily sneaking into the company’s network, carefully tailoring their attack to evade corporate defenses. It was a topic that would not share into what is now called Hack SolarWinds, a Russian espionage campaign that resulted in countless victims having to compromise.
To say the SolarWinds attack is a wake-up call would be an understatement. It shows the vast extent of fallout from the so-called supply chain attacks, when attackers compromise widely used software at source, they, in turn, make them capable of infecting anyone who uses it. In this case, that means Russian intelligence has the ability to reach up to 18,000 SolarWinds customers. In the end, they broke into less than 100 select networks — including those of Fortune 500 companies like Microsoft and US Department of Justice, Department of State and NASA.
Supply chain attacks not new. But the severity of the SolarWinds crisis has raised awareness dramatically, setting off a year of massive investment in security innovations across the tech industry and the US government.
“If I don’t get the call on December 12, I’ll consider it a success,” said SolarWinds President and CEO Sudhakar Ramakrishna. On that day a year ago, SolarWinds himself learned that Orion, its IT management tool, was the source of the FireEye intrusion — and what would eventually become dozens of other things. Ramakrishna is yet to join SolarWinds, but he is expected to join on January 4, 2021.
While this week marks the one year anniversary of the ongoing discovery around the SolarWinds hack, the incident actually dates back to March 2020. Russian hackers APT 29 – also known as Cozy Bear, UNC2452 and Nobelium – spent months laying the groundwork. But that very dissonance illustrates the nature of threats in the software supply chain. The hardest part of the job is paying up front. If the staging is successful, they can flip a switch and simultaneously gain access to multiple victim networks at once, all using trusted software that appears legitimate.
Across the security industry, practitioners tell WIRED that the SolarWinds hack – also known as the Sunburst hack, after the backdoor malware distributed through Orion – has meaningfully expanded understanding about the need for transparency and insight into the origin and integrity of software. There were certainly other impactful software supply chain attacks prior to December 2020, like the intrusion of the computer cleaning tool CCleaner and of Russia the notorious distribution of the destructive NotPetya malware through the Ukrainian accounting software MEDoc. But for the US government and the tech industry, the new campaign is particularly close to home.
“It was definitely a watershed moment,” said Eric Brewer, Vice President of Cloud Infrastructure at Google. “Before I explain to everyone that this industry has a challenge here, we need to deal with it. And I think there’s some insight, but it’s not very prioritized. Attacks that people haven’t seen directly are just abstractions. But after SolarWinds, that message resonated in a different way. “
That awareness has also begun to translate into action, including building software equivalents to component lists and ways to better monitor code. But it works slowly; Supply chain problems require as many solutions as there are many types of software development.
