As we continue uncovering information about the recent SolarWinds attack involving the U.S. federal government and many large corporations, it’s clear this has the potential to be the most impactful data breach of all time. IT professionals across the country are working to understand the full extent of the breach, and it’s likely we will continue to see ramifications of recent events for years to come.
Breaking Down the SolarWinds Attacks
Earlier this month, FireEye—a premier cybersecurity firm—reported that it was a victim of a cyberattack. Among its IT- and cybersecurity-related services, FireEye performs red team exercises and penetration testing to identify network vulnerabilities, and as a result of this breach, their red teaming tools were stolen and are now in the hands of bad actors.
Soon after the news of the FireEye breach, it came to light that at least two government agencies had been hacked, and it was discovered the breach was the result of a vulnerability in a tool created by SolarWinds, a network management firm with many government entities and Fortune 500 companies included in its list of customers.
As early as March 2020, hackers successfully compromised SolarWinds Orion platform—an IT performance management system—and inserted malicious code in software updates that went undetected for months. Executing a supply chain management breach, the hackers injected a backdoor in the SolarWinds code updates, after which compromised versions of the software were then downloaded on 18,000 instances of Orion.
The SolarWinds Orion platform possessed some of the highest access levels available within networks, so the bad actors had more control and network access compared to a typical breach. Wreaking further havoc, the hackers likely pivoted to other devices or machines in compromised networks and installed other backdoors to permit future access.
Once compromised, the Orion installations reportedly connected to subdomains associated with avsvmcloud.com, a website that Microsoft has since taken over. Since it seized control of the website, there is reasonable assurance that Microsoft has effectively implemented a “kill switch” to stop further compromise, but that doesn’t mean affected organizations are out of the woods. According to FireEye, “This kill switch will not remove the actor from victim networks where they have established other backdoors.”
Even though the full scale of this attack remains to be seen, it is likely that the FireEye breach is related to the SolarWinds attack. Among other factors, the sophistication of this attack indicates that the perpetrator was a nation-state. Not your average hackers, those involved in this breach were highly skilled and carefully chose their culprits for reasons that largely remain unknown, though espionage is an expected purpose.
How Should Your Financial Institution Respond?
In light of these attacks, your financial institution should remain vigilant, especially as more information is discovered about their significance. Consider the following steps as you ensure the integrity of your network and determine the level of risk to your institution.
- Determine Whether Compromise Occurred
If your financial institution is running the Orion platform from SolarWinds, remove the system from your network until you understand if any compromise occurred. In the event your institution previously updated to a vulnerable version of Orion, it is imperative that you follow the guidelines set forth by SolarWinds and the Department of Homeland Security, which include forensics steps to identify further indicators of compromise. Should an investigation show no evidence of a successful compromise and your system is updated to a secure version of the platform, then you can consider adding Orion back on your network.
- Partner with Professionals
If your institution has any indication that your network was compromised, consult with a data forensics firm to determine the depth of the compromise. It is common for hackers to plant footholds or backdoors in a network that allow them to return later, and your institution must be confident that no such opportunities exist in your network. Using a risk-based approach and partnering with professionals will empower your institution to determine an appropriate response, which could include rebuilding critical systems, changing passwords or implementing other controls.
- Understand the Security Position of Vendors
Determine if any of your vendors—especially vendors providing your institution with software or with access to your network—are running the Orion system and if they are responding appropriately to this breach. Moving forward, consider implementing a robust vendor management program to avoid unqualified third-party vendors and assess your risk.
Preventing Future Breaches
Even if your financial institution does not rely on software from SolarWinds, you should research the hacking tools that were compromised in the likely related FireEye breach. It is critical that your institution ensure these valuable tools—now presumably in the hands of a foreign nation-state—are not used against you to inflict harm. FireEye has taken the appropriate steps to provide remediation and advice for these tools, and your institution should take full advantage to secure your network.
Reminder: Revisit Your Security Controls
Both breaches serve as a powerful reminder of the importance of proper security controls throughout networks, including following principles such as need-to-know and limited access. In the event of a security breach, an attacker can only reach what the specific system is able to access. By revisiting your cybersecurity framework, practicing good cyber hygiene and tightening your control structure, your institution can increase your preparedness for future breaches.
For more information on best practices to secure your network and defend against cyber threats, contact CSI Managed Services.
Steve Sanders is vice president of Internal Audit for CSI. In his role, he oversees the evaluation and mitigation of risks associated with IT, financial and operational systems. Steve is a CISA, CRISC, CRMA, and CTGA, and he speaks regularly on information security, cybersecurity, IT and IT audit topics.