The SolarWinds cyberespionage campaign has apparently targeted a dizzying number of government and private organizations: the State, Commerce, Treasury, Homeland Security, and Energy departments; Microsoft; the cybersecurity firm FireEye; the National Institutes of Health; and the city network of Austin, Texas, just to name a few. It launched in the spring of this year, and it will likely last for years. I study the aftermath of cybersecurity incidents, and many large-scale breaches come with drawn-out legal battles and investigations that last for months, or even years, following the initial discovery and disclosure. But the SolarWinds compromise is different. In the coming year, we won’t just be fighting about who was responsible or figuring out how this happened or assessing the fallout or repairing affected systems. That whole time, government and private sector systems will continue to actively be breached because of the malware that was surreptitiously included in updates to the SolarWinds Orion products.
To understand the difference between the SolarWinds compromise and the other high-profile cybersecurity incidents you’ve read about in recent years—Equifax or Sony Pictures or Office of Personnel Management, for instance—it’s important to understand both how the SolarWinds malware was delivered and also how it was then used as a platform for other attacks. Equifax, Sony Pictures, and OPM are all examples of computer systems that were specifically targeted by intruders, even though they used some generic, more widely used pieces of malware. For instance, to breach OPM, the intruders stole contractor credentials and registered the domain opmsecurity.org so that their connections to OPM servers would look less suspicious coming from that address.
This meant that there were some very clear sources that could be used to trace the scope of the incident after the fact—what had the person using those particular stolen credentials installed or looked at? What data had been accessed via the fraudulent domains? It also meant that the investigators could be relatively confident the incident was confined to a particular department or target system and that wiping and restoring those systems would be sufficient to remove the intruders’ presence. That’s not to say that cleaning up the OPM breach—or Sony Pictures or Equifax, for that matter—was easy or straightforward, just that it was a fairly well-bounded problem by comparison to what we’re facing with SolarWinds.
The compromised SolarWinds update that delivered the malware was distributed to as many as 18,000 customers. The SolarWinds Orion products are specifically designed to monitor the networks of systems and report on any security problems, so they have to have access to everything, which is what made them such a perfect conduit for this compromise. So there are no comparable limiting boundaries on its scope or impacts, as has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to steal tools and code that would then enable them to compromise even more targets. After Microsoft realized it was breached via the SolarWinds compromise, it then discovered its own products were then used “to further the attacks on others,” according to Reuters.
This means that the set of potential victims is not just (just!) the 18,000 SolarWinds customers who may have downloaded the compromised updates, but also all of those 18,000 organizations’ customers, and potentially the clients of those second-order organizations as well—and so on. So when I say the SolarWinds cyberespionage campaign will last years, I don’t just mean, as I usually do, that figuring out liability and settling costs and carrying out investigations will take years (though that is certainly true here). The actual, active theft of information from protected networks due to this breach will last years.
Some of that longevity will come from the scale of the attack and the number of different companies, like Microsoft, that were then used as platforms for further attacks on new victims. All of that will require time to sort out and trace and investigate, but it’s not the only reason that coming back from this will be hard. Another element adding to the challenge of trying to clean up this mess will be the thoroughness of the compromise of each individual system.
Many cyberespionage activities begin with phishing campaigns or stolen credentials, which are then used to deliver malware to targeted systems. Those credentials, depending on whom they belong to and how much access that individual has, can be very effective ways to gain a toehold in a protected computer system, but they’re also very easy to change or reset when the compromise is discovered. Weeding out the malware that they were used to install can be trickier, especially if there are multiple types of malware being used (as was the case in the OPM breach), but that malware is also often constrained at least a little by the system’s security measures and the level of privilege of the compromised credentials—that’s why compromising the credentials of a system administrator, for instance, who has access to an entire network, is often more fruitful for attackers than compromising the credentials of an employee who can only access a smaller portion of the network for their job. It’s also why it’s important for organizations to segment their networks and make sure people only have access to the files and servers they absolutely need to be able to access for their work.
But none of that matters with a breach like SolarWinds that granted intruders broad access to the entire network of every system it was installed on. Additionally, SolarWinds had apparently persuaded many of its customers that its Orion products needed to be exempt from existing antivirus and security restrictions on their computers because otherwise it might look like a threat or be unable to function properly. (This is actually an old problem—security products identifying other security products as malware. For instance, if you try to install multiple antivirus programs on the same computer, they will sometimes recognize the malware signatures stored by the other and try to shut it down as malware. And then the other one will see that there’s a program trying to shut it down and assume that that program must be malware, since trying to turn off the antivirus program is also a typical trait of a malicious program!)
So the access that the intruders had using the SolarWinds updates goes far beyond the access granted by many initial cyberespionage compromises, and the number of potential targets is enormous—and only growing every time we learn about the ways that each of those targets may have been leveraged to access new victims. As we continue to unravel all the different strands of this compromise, the federal government would do well to assume that its computer systems are still being actively infiltrated and not imagine that, simply having discovered this breach, they are anywhere close to reaching the end of it.