Let’s just call it the year that keeps on giving. Even as the COVID-19 pandemic was running rampant among the human population in 2020, an insidious malware agent called Sunburst wormed its way into the development supply chain of SolarWinds. Then, using a signed software update to the company’s Orion network management software as its Trojan horse, the malware was welcomed into some 18,000 government and corporate clients’ networks. It had most of the year to make itself at home before it was first identified in December 2020 by cybersecurity firm FireEye, upon investigating suspicious activity around its own network’s two-factor authentication process.
The hack, which has been attributed to Russian operatives, is particularly diabolical for a couple of reasons, according to Grant Geyer, chief product officer, Claroty. First, by being inserted into a legitimate, digitally-signed software upgrade, it easily cleared organizations’ defenses. Second, since it effectively became part-and-parcel of the network management software package, it could “hide in plain sight,” while probing all the various connected devices that the network management software was credentialed to manage. This meant it could—and likely has—spread laterally, establishing footholds in those connected assets and applications. “The scope of the potential compromise is much larger than SolarWinds Orion software,” Geyer says.
Not just an IT problem
“Given SolarWinds’ ubiquity, the extent of the attack may not be known for some time,” adds Geyer. “But the stealthy nature of this attack, and the advanced capabilities and backdoors in use, should put any organization that includes nation-state actors as part of their threat mode on alert, including critical infrastructure, industrial control systems (ICS) and SCADA operators.”
While an Orion instance in the DMZ may not seem to pose a risk to an OT network, it’s quite possible that the software is configured to actively poll programmable logic controllers or other OT equipment, according to Ben Miller, vice president, professional services and R&D for Dragos. “If there’s no firewall between SolarWinds and the monitored devices, this could allow the adversary to directly interact with them,” he says. “And even if there are firewalls between SolarWinds and the devices, their access control may be overly permissive, still allowing unfettered interactions with equipment.”
The first remediation step is to definitively determine whether you have instances of Orion software running—in your OT or IT environment—and of what version.
Don’t assume that because you’re not aware of it, that it’s not around. OEMs, maintenance services and even ICS providers are known to use Orion as a white-listed application embedded in their offerings. Use an inventory assessment tool to be sure, and check DNS logs for unusual or suspicious requests. In particular, look for connections to any of several domains that are known beaconing indicators of compromised instances of SolarWinds Orion (see CISA Alert AA20-35A for a list).
Any instance of Orion software that's compromised must be rebuilt, along with any systems that it had credentials to access. Once these systems have been rebuilt, remember you’re not necessarily in the clear, as the malware may already have migrated to other network domains.
“This incident just proves that we're never going to have a fully secure network,” adds Joe Weiss, ControlGlobal cybersecurity blogger and managing partner, Applied Control Solutions. “The Russians have beaten all three: two-factor authentication, digital certificates, and now a signed software update.”
That’s all the more reason for a belt-and-suspenders approach to handle both inherent and residual cybersecurity risks, says Claroty’s Geyer. “We need to trust but verify, and make sure that the OT environment is instrumented for anomalies, and that you have detection tools in place that rely on a variety of methodologies to spot an attacker.”
Stay vigilant, my friends.