Historical Hacks: SolarWinds

27 May 2024

Unpacking the Breach that Rocked the World.

If you aren’t a medium member, you can read with no paywall via substack

As we’ve started to look at some historical incidents that have helped shape the modern cybersecurity landscape, there have been some interesting patterns that have been noticeable. Some attacks, are low-level, perpetuated by hobbyists or as cyber “experiments”.

Others, like Stuxnet, were elaborate, complex attacks that were designed to target state actors.

In today’s article, we’ll take a look at one of these state-based attacks to study its effectiveness and its impact on the internet at large. It’s known for its duration, and its overall effect on privacy and is especially noteworthy for the vast array of victims that it affected, one of which was the United States Government. At the time, it was also one of the worst attacks perpetuated by an advanced persistent threat (APT) group.

The Background

While the breach was originally detected in December 2020, it was believed that the original entry occurred much earlier, in 2019. Failing to detect the intruders meant that persistence was gained and over time, malware was placed in a large number of systems.

Leveraging exploits within specific software packages, by the time the hack was detected in 2020, it was believed that over 200 critical organisations had been affected at various levels worldwide. Some of the departments affected included the US Treasury, the US Department of Commerce and even the US Department of Defense.

Prior to the attack, it was reported that SolarWinds had gained attention for several vulnerabilities within its software, and despite more than a few experts voicing concern over these security issues, at the time of the hack occurring it was believed that most of these vulnerabilities were not adequately patched.

Indeed some aspects of security at SolarWinds were stretched so thinly that at the time of the incident, they reportedly didn’t have a Senior Director of Cybersecurity or a Chief of Information Security. While we’ve talked previously about the importance of pre-planned incident response strategies in cyber, it’s reasonable to assume that these vacancies hampered the initial incident response strategies and made containing the breach much more difficult.

It’s also worth mentioning that for most attacks, direct infection was the most effective way of causing damage and incurring both inconvenience and financial loss. However, this scenario was also pretty noteworthy for its impact on machines that weren’t infected. Despite the lack of an infection, machines still needed to be checked, patched and cleared before they could be safely put back online. This caused a large outlay in labour hours as each computer was put through the process individually. A huge job considering the size of some of the affected networks.

Attack Vector

While the original vulnerability had been noticed and reported by cyber threat agency FireEye, it didn’t take long after hitting the mainstream before cyber analysts and incident responders started to focus their attention on the issues at hand.

And, it didn’t take too much study to realise that this attack was incredibly serious, for a number of reasons.

Firstly, the actual methodology used in the attack was vast and complex. Not only did it leverage several different versions of software like Microsoft Office and SolarWinds own software, but it also pushed malware and infected software versions to users by exploiting the Solarwinds Certificate Authority. In English, what this means is that the hackers were able to present infected software as valid, safe and free of malware when the reality is that it was anything but.

This certificate also meant that when an antivirus would check the package for issues, the software would present this “signed” certificate to prove legitimacy. At this point, most anti-virus systems would simply ignore it.

Exploiting certificate authority was both ingenious and effective. Source: Wikipedia.

However, it wasn’t just this that helped the exploits to prosper, as shortly after the breach in December 2020, it was reported that SolarWinds had recommended that some clients disable their antivirus packages in an attempt to make installing the software trouble-free. The electronic equivalent of opening the door and placing a “Please Enter” sign at the front of your house.

The last note-worthy issue that was raised by analysts was the Security used by SolarWinds themselves. During the investigative phase, an FTP server was breached by using the very weak password of “solarwinds123” and when breached it was shown that malicious updates could easily be pushed to users, giving the original attacker yet another threat vector to move on.

Lasting Effects & Fallout

While most attacks can be pretty controversial due to the damage they cause and overall inconvenience to the community, SolarWinds was different due to it being perpetuated by state-based actors. While it took some time to come out, the attack was allegedly linked to the Russian Backed “Beserk Bear” threat group.

The attack would eventually be linked to a Russia-backed advanced persistent threat group. Source: Wikipedia

This meant that not only did the attack make headlines worldwide, but it also meant that it gained the attention of politicians, threat analysts and agency directors the world over with some of these people directly attributing the attacks as being conducted at the demand of the Russian government.

Indeed while US President Trump attempted to deflect blame toward China, United States Secretary of State Mike Pompeo made no such accusations, laying the blame squarely at the feet of the Russian Government.

This would eventually be followed by statements from the US National Security Agency, and the Federal Bureau of Investigations, who named the Russian SVR intelligence agency as the one in control of the operation.

The problem with assessing the hack though revolved around the number of infected machines and a lack of overall clarity about exactly what type of data was stolen as well as how much. This has been such a complex issue that as of 2022 investigators were still analysing data and releasing further information about the ongoing fallout from the breach.

The Broken Trust

It’s fair to say that so much damage was done during this one incident that in many ways it changed the relationship between businesses and software providers permanently.
With almost every Fortune 500 company being affected by the hack in some way shape or form, the fallout from this was dramatic and long-lasting.

While cybersecurity has often been the forgotten component of running a business, being the last to receive funds or even priority, this attack was a key part of shifting the mindset and looking at ways that companies and commercial entities were able to correctly manage their internet-facing assets and infrastructure.

And, while cybersecurity can often still face many of these same challenges in today’s world, many of us find it far easier to implement new policies, protect equipment and safeguard users within a network. A net positive overall, wouldn’t you say?

Medium has recently made some algorithm changes to improve the discoverability of articles like this one. These changes are designed to ensure that high-quality content reaches a wider audience, and your engagement plays a crucial role in making that happen.

If you found this article insightful, informative, or entertaining, we kindly encourage you to show your support. Clapping for this article not only lets the author know that their work is appreciated but also helps boost its visibility to others who might benefit from it.

🌟 Enjoyed this article? Support our work and join the community! 🌟
💙 Support me on Ko-fi: Investigator515
📢 Join our OSINT Telegram channel for exclusive updates or
📢 Follow our crypto Telegram for the latest giveaways
🐦 Follow us on Twitter and
🟦 We’re now on Bluesky!
🔗 Articles we think you’ll like:

  1. Software Defined Radio & Radio Hacking Pt 1
  2. OSINT Investigators Guide to Self Care & Resilience

✉️ Want more content like this? Sign up for email updates

Join our Crypto focused Telegram Channel!


Enjoy this blog? Subscribe to Investigator515


No comments yet.
Most relevant comments are displayed, so some may have been filtered out.