What the SolarWinds Breach Revealed About Our Cybersecurity Vulnerability

The Issue:

The size and scale of the SolarWinds compromise that came to light at the end of 2020 is beyond any other cyber-espionage campaign that has been previously detected by the United States. Beyond impacting several major federal agencies and government offices, it also turned out to have been used to compromise systems at many private companies, including Microsoft and FireEye, which also relied on SolarWinds Orion tools for monitoring their networks. While the public and private sector victims of these intrusions work to repair their systems, they will also be forced to consider broader issues associated with the security of the providers that supply the software infrastructure underpinning government and private functions, as well as the lack of diversity that results in widespread dependence on products provided by a single company — and how to ensure that their third-party vendors do not introduce similar vulnerabilities to their systems in the future.

The breach highlights the challenge of ensuring the security of outside providers and the risk of extensive dependence on products from a single company.

The Facts:

• The massive breach of U.S. computer networks potentially dates back months and the extent of the organizations impacted is still evolving. In December 2020, a new compromise of United States federal government computer systems came to light when security experts discovered that several departments, including Treasury, State, Energy, and Commerce, among others, had been infiltrated via updates to the SolarWinds Orion software products. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) put out an emergency directive on December 13 instructing government offices to disconnect any systems running the Orion products, but the recovery and mitigation process is certain to be a lengthy one given how many high-value targets appear to have been infiltrated and how much access the intruders had to those targets’ systems.
• Preventing infiltration through a software supplier like SolarWinds is notoriously difficult. The SolarWinds compromise was introduced through malware attached to a software update published by SolarWinds. So when SolarWinds customers updated their Orion software, the update included malware that granted the intruders access to their systems. This is a case where a supplier or vendor for a company is compromised and is then used to target its customers in turn. These attacks are extremely difficult for organizations to protect against because they require significant insight into the security practices of their vendors, information which can be both time-consuming and difficult to collect.  
• The SolarWinds compromise has also been used to compromise other, additional products that significantly widened the scope of the attack. Through their compromise of companies like Microsoft and FireEye, the intruders have also been able to compromise other products provided by those companies to their customers, creating additional vulnerabilities. According to SolarWinds, the compromised code may have reached as many as 18,000 of their customers, but these figures don’t account for all the other customers of other vendors who may have been compromised through this intrusion. This demonstrates how quickly the risks associated with these types of attacks can scale and spread beyond even standard cyber-espionage campaigns.
• It will be a long time before we can assess the full scope and reach of this breach. Because of how long this malware was active before being detected, and how many customers were exposed to it both first- and second-hand, it will be months, if not years, before all the victims are able to identify that they have been compromised and remediate the intrusions into their systems. This is part of what makes dealing with these types of attacks so complicated—the process of tracking and tracing them is very involved and resource-intensive compared to infiltration techniques that focus on making use of one particular set of stolen credentials or an individual target.
• Many organizations do not do even the bare minimum necessary to begin securing their systems. Surveys suggest that many organizations do not take steps towards securing their software systems such as maintaining an inventory of all third-party vendors they rely on and regularly assessing those vendors’ security practices. The sense that these systems are nearly impossible to secure can add to organizations’ reluctance to invest time and money in such measures for fear that they will not, ultimately, be very effective.
• The SolarWinds breach took advantage of security products to introduce a vulnerability into victims’ systems. One of the other striking features of this compromise is that the intruders made use of a software update for a security tool used to monitor networks to infiltrate victims’ systems. This is a reminder that the security tools organizations rely on to help protect their systems, like software updates and network monitoring programs, can also create new attack surfaces and introduce vulnerabilities of their own that require monitoring and careful attention.