Sunburst hack highlights supply chain risks

The discovery of a supply chain attack trojanising SolarWinds Orion business software updates has brought the vulnerability of the supply chain into focus. What is assumed to be a state-sponsored attack was discovered by cyber security firm FireEye on 13 December. The campaign is widespread, affecting public and private sector organisations around the world. 

According to FireEye, which is tracking the actors behind the campaign, the compromise may have begun as early as Spring 2020. The secret code included in SolarWinds Orion’s next software update had laid dormant for a couple of weeks, before retrieving and executing demands, including the ability to transfer files, profile the system, reboot the machine and disable system services.

The hack was highly sophisticated and stealthy, notes FireEye, which itself fell victim. In an update, FireEye chief executive Kevin Mandia said there was a limited amount of information which could be shared as the attack is now the subject of an FBI investigation.

”Based on our analysis, we have now identified multiple organisations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organisations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign.”

”We have been in close coordination with SolarWinds, the Federal Bureau of Investigation, and other key partners. We believe it is critical to notify all our customers and the security community about this threat so organisations can take appropriate steps.”

Responding to news that US federal agencies have had their security breached by a major cyber attack, Darren Thomson, head of cyber security strategy for CyberCube said: 

“While it remains too early to fully assess the impact of this attack, both the FireEye and SolarWinds breaches are significant due to the strategic importance of their target – the machinery of the US government. 

“It looks like this attack could be linked to COVID-19 and the move to home working. The resultant changes to working patterns and behaviours have exposed many new attack vectors that were previously ignored by attackers. In this case, monitoring software allowing IT staff remote access to computers on corporate networks was hacked. It’s likely we’re going to see more of this kind of attack in 2021. 

“This type of software supply chain attack is on the rise. Between 2018 and 2020, we saw several examples of legitimate software update mechanisms being used to breach systems. Good examples were the attacks on BA and Ticketmaster in 2018. However, using software supply chains attacks to target a government is still relatively rare.” 

The attack exposes the vulnerability of the supply chain and the potential for a single compromise at source to cause significant issues to tens of thousands of enterprise customers, according to Clyde & Co.

“The lack of clear information about the scope of the cyber attack creates issues for impacted third parties, who will find it hard to assess their exposure, update their customers, and manage the fall out of the incident,” says the law firm’s senior associate Sophie White.

”This year has already seen organisations fall foul of security breaches suffered by their third party providers,” she adds. “In May 2020, Blackbaud, a provider of software and cloud hosting services, had customer data stolen from its network with a threat for it to be published online.

“It was accompanied with an unsuccessful attempt to encrypt its network to block customers from their data and servers. While the ransomware attempt was prevented, Blackbaud announced that it paid a ransom to prevent public disclosure of the stolen customer data.”