The SolarWinds Cyber Attack
by Tanzeer Hossain
In December of 2020, the world witnessed one of the most sophisticated cyberattacks in history: the SolarWinds supply chain attack. This affected the systems of many substantial organisations, including US Government agencies, private companies and key infrastructure providers. The main objective of this attack was the compromise of software updates distributed by SolarWinds, a massive provider of network management tools. The aftermath of this attack left a wide shadow of concern over critical infrastructure security worldwide.
The attack, believed to have been carried out by a state-sponsored group (allegedly Russian), involved inserting malicious code into legitimate software updates, The unsuspecting organizations then downloaded these updates. That then gave the malware embedded within them a window of unauthorized access into their networks. This attack within the systems went undetected for months, giving the attackers a chance to conduct espionage and, after they have covered their tracks, leave the framework for future disruptions.
Some of the techniques used included evasion of detection systems, lateral movement, credential theft and persistence mechanisms, all of which allowed them to cause as much disruption as possible. The malware, dubbed “Sunburst”, was hidden within genuine software updates and included evasion techniques.
Once the systems were breached, the attackers had an opportunity to compromise the admin accounts. This gave them access to massive amounts of confidential information for their malicious intent. This phase used the technique lateral movement. To ensure continued access within the systems, the attackers employed persistence mechanisms which changed things such as scheduling more tasks, modifying the registration, and hiding within system directories which made it harder to detect.
The fallout of the SolarWinds attack was immense and had global effects. Among the primary targets were the U.S. Department of Defense and Department of Homeland Security, two examples of very well-known organizations that suffered heavy damage, on top of raising concerns about national security and safeguarding of classified information. Additionally, numerous private sector entities, such as major technology firms and Fortune 500 companies, found themselves caught by this attack.
The aftermath of the SolarWinds attack has been an arduous and still ongoing recovery. Alongside the loss of key data and/or intellectual property, the incident damaged the reputation of SolarWinds as a software supplier. SolarWinds had to invest heavily in fortifying their security to prevent this from ever happening again. This entails efforts to identify and remove malware and eliminate residual threats, requiring significant resources and expertise. In addition, SolarWinds faced legal issues in 2023 from the Securities and Exchange Commission (SEC), due to failing to protect critical information and having inadequate security. As a response to this incident, further legislation was proposed by US Senators, calling for enhanced security standards as well as enforcing more transparency in software supply chains.
A large cybersecurity firm, FireEye, investigated exactly what happened during the attack and published multiple reports going into the detail of what happened and where, along with recommendations of how to mitigate some risks. A few big names that took the advice to heart include Microsoft, that did complete reevaluations of detection systems, banks such as JPMorgan that enhanced network monitoring as well as setting stricter access controls, healthcare providers such as Pfizer that increased security on patient data, and finally some victims such as the Department of Homeland Security that did thorough reviews of their security and implemented reforms to decrease their risk of being breached again.
The SolarWinds attack represents a key moment in cybersecurity, prompting reevaluation of defensive strategies and increasing efforts to fortify resilience against sophisticated methods of breach. Using this attack to draw lessons, organizations start to better prepare themselves for any future threats while also safeguarding the digital infrastructure upon which modern society relies.