It's been less than four weeks since the cybersecurity company FireEye reported that a cyber-attacker had compromised the SolarWinds IT software management company's Orion network monitoring products. Unfortunately, the scope of the incident continues to grow in frightening fashion.
A day after the FireEye revelation, SolarWinds reported to the Securities and Exchange Commission that the supply chain attack, which utilized backdoors — vulnerable, unauthenticated points of entry — to plant malware, "could potentially allow an attacker to compromise the server on which the Orion products run." The company pegged the number of its customers that could be vulnerable at "fewer than 18,000." There have been reports almost every day documenting the dramatically expanding scale of the attack, which so far is known to have affected numerous federal agencies as well as business customers large and small.
In a joint statement issued last week, federal security and intelligence agencies that stood up a Cyber Unified Coordination Group task force stated what had been widely assumed: that the culprit is "likely Russian in origin" and engaged in intelligence gathering. It's therefore logical to deduce that the compromised information, which includes financial records, user IDs, passwords and software source code, is now being examined by Russian intelligence organizations. This should bring back memories of the Office of Personnel Management data breach in June 2015, when the records of more than 22 million federal workers were stolen.
There haven't been any specific reports of state or local government entities being impacted, but the Multi-State Information Sharing and Analysis Center has issued several advisories with recommendations for state and local government organizations. I've had several conversations with people over the past two weeks who reported that their state and local government security teams immediately began investigating to determine if they were using SolarWinds software, if they had the specific Orion application that was compromised, and if any of the published indicators of compromise applied to their networks.
One of the more sarcastic conversations I've had with multiple organizations is about how their lack of an effective security patch management program may have saved them. Since they were several revisions behind in their security patches, they had not downloaded the compromised code that would have made them casualties of this incident. It's good news they weren't victims, but sad news that their security programs were so impotent that they were months behind on patching their SolarWinds applications.
If your agency might have been one of those "less than 18,000" victims, your security team is undoubtedly working 24/7 to answer those three questions and recover from the incident. The general consensus in the security community is that these recovery efforts will be ongoing for months for three primary reasons:
• Very few organizations have enough qualified cybersecurity expertise staff to effectively address all of these issues in a rapid manner. It's one thing to close the front door on the bad guys; it's a completely different and much more difficult task to identify backdoors and determine the full extent of the damage.
• Organizations no longer know what parts of their network infrastructure they can trust, so how can they be sure that they don't have any fake user or administrative accounts? A growing number of security professionals are advocating that government networks need to be "burned to the ground" and then completely rebuilt. This is a mind-bogglingly difficult and expensive solution, but one that some organizations may need to resort to if they feel they can't regain trust of their environment any other way.
• Organizations need to immediately begin communicating with all of their suppliers to determine if they were a vector for compromise.
If your agency wasn't one of the victims, you can thank your lucky stars, but it's certainly no time for gloating. Since this was a supply chain attack, what makes it more insidious than most cyberattacks is that your networks, systems or applications may have been infiltrated by someone or some organization you trust and have implicitly given access to. By targeting products from a widely used and trusted vendor, supplier or other third party, cybercriminals can greatly expand their victim opportunity zone with very little additional effort.
The question everyone should be asking themselves now is, "OK, what other vendors/suppliers/third parties have we granted access to whose security posture we don't really know?" This kind of supply chain attack is both subtle and deceitful and creates significant trust issues between customers and their vendors.
State and local government information security officers who breathe a sigh of relief just because they may not have been impacted by the incident are simply not paying attention to the bigger supply chain picture. Even if you happen to be one of the fortunate organizations that wasn't using SolarWinds' Orion technology, you should be reviewing all of your third-party contracts and arrangements to see what security requirements they should be living up to and, if they are deficient, begin renegotiating immediately.
There have been many advisories and alerts posted with tactical recommendations for hunting, monitoring and mitigating this attack, but I think the following three have significant strategic value:
• Review and verify all regular, guest, system, privileged and admin user accounts.
• Review all technical indicators of compromise. As just one example, the Cybersecurity and Infrastructure Security Agency has provided guidance for organizations that integrate the Microsoft 365 productivity suite with the Azure user-authentication service.
• Review all vendor/supplier/third-party contracts to ensure that you have identified specific security control requirements.
Steps like those are crucial, but they are just a start. We are at the beginning of a very long recovery journey.
Governing's opinion columns reflect the views of their authors and not necessarily those of Governing's editors or management.