Trenton Systems Blog

The SolarWinds Orion Hack Explained

Written by Brett Daniel | Jan 11, 2021 6:41:01 PM

Graphic: The SolarWinds hack shook American businesses and federal agencies in December. We're unpacking the hack in this blog post.

Table of Contents

The SolarWinds hack.

It’s raising questions that everyone wants answers to: how did it happen, who was affected, but perhaps most importantly, how can a similar attack be prevented going forward?

One thing is undeniable: the attack was devastating, and it will take major businesses and government agencies a while to fully recover. Many will need to rebuild their entire networks from the ground up.

Oh, yes, you read that correctly. Experts say that those affected will need to "burn their networks to the ground" to ensure that they're clean.

In the meantime, it's important to discuss prevention. There's no perfect preventative solution, and as the SolarWinds hack proved, hackers are continuing to devise more highly sophisticated ways to surreptitiously steal, manipulate, or delete your most sensitive data.

But that's not an excuse. There are discussions to be had.

For this blog post, we called upon two of our technology partner companies - Star Lab, a Wind River company, and NGD Systems - to help us unpack the hack and talk preventative measures from their perspectives.

Throughout, we'll provide some background on the hack by describing exactly what happened with SolarWinds, how the hack was able to occur, how and which major companies and government agencies were affected, and how cybersecure servers, hardware protections, and signing release packages securely can help prevent another SolarWinds-style hack.

What is the SolarWinds hack?

The SolarWinds hack was a software supply chain attack perpetrated against American software company SolarWinds, which develops and maintains network monitoring tools used by major businesses and government agencies.

The hack, believed to have been perpetrated by an outside nation state, exploited SolarWinds’ Orion® software updates. These updates were subsequently installed by many of SolarWinds’ Orion customers, which include Fortune 500 businesses and federal agencies.

In fact, the hack is believed to have affected more than 250 of those businesses and agencies.

Graphic: Hackers purportedly compromised SolarWinds' Orion software build via an already-compromised Microsoft Office 365 account. Backdoors were later distributed into user networks once tainted Orion updates were installed.

How did hackers get into SolarWinds?

According to a statement by SolarWinds, the hackers inserted malware into two Orion software updates, which were installed by customers in the spring of 2020.

But the hackers had already gained access to SolarWinds’ software development system in October of 2019, according to Security Week, likely through SolarWinds’ already-compromised Microsoft Office 365 account.

The hackers then spent months implementing botnet command-and-control protocols, and in March of 2020, began inserting trojans into the updates that customers would ultimately install.

Once installed, this malware, dubbed SUNBURST, distributed backdoors that communicate to third-party servers into customers’ systems, giving the hackers remote access to emails, confidential documents, and other sensitive information.

But here’s the worst part: neither SolarWinds nor its customers knew that any sort of breach had occurred until December of 2020, more than a year after the hackers initially gained access to SolarWinds’ build environment and nine months after the first poisoned update was released in March.

To both SolarWinds and its customers, the trojanized updates appeared to be just another run-of-the-mill software modification to the Orion software.

But how could this be?

Well, the malicious code was inserted into an Orion plug-in called SolarWinds.Orion.Core.BusinessLayer.dll, a typical library component found in Orion software updates.

This compromised plug-in was digitally signed by a seemingly valid but actually compromised SolarWinds certificate. In other words, it was able to masquerade, totally undetected, as a legitimate, trusted, SolarWinds-verified library file that, once executed, whether during an automatic update or manually by the user, would begin to wreak its havoc, the user unwitting all the while.

Even scarier is that the backdoor was designed to remain dormant for 14 days before retrieving and executing commands that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services, according to cybersecurity company FireEye, which was also affected by the attack.

Who was affected by the SolarWinds hack?

According to numerous media sources, the following businesses and agencies have been affected by the hack:

Businesses

  • Microsoft
  • Intel
  • NVIDIA
  • Cisco
  • Belkin
  • VMware
  • FireEye

Agencies

  • The United States Department of Homeland Security
  • The United States Treasury Department
  • The United States Department of Defense
  • The United States Department of Commerce
  • The United States Department of State
  • The United States Department of Energy
  • The United States Nuclear Security Administration

The extent of the hack, the data accessed, modified, stolen, or deleted, and whether other major businesses and agencies were affected are still being investigated.

Graphic: Secure code signing to verify trusted software sources can help prevent a SolarWinds-style attack in the future.

How can similar attacks be prevented?

Going forward, secure code signing and hardware-based protections are two of many practices that could help prevent SolarWinds-style hacks.

Jonathan Kline, Chief Technical Officer at cybersecurity software company Star Lab, a Wind River company, and a Trenton Systems technology partner, stresses the importance of signing release packages securely but admits that there’s no one-size-fits-all solution.

One possible approach to securely signing software uses an offline approach combined with some form of hardware security module (HSM). Within this model, the software is developed and transferred to a staging area. In the staging area, the software is signed using a non-extractable key, presumably by a trusted individual within your organization. The software is then transferred back to the release or deployment environment.

This process could be made more secure by requiring the key stored within the HSM to use some kind of multi-factor authentication. This would then prevent someone who had access to the HSM from being able to sign their own packages. It doesn’t, however, directly prevent someone from modifying or injecting build artifacts into the development environment before they are transferred to the staging environment.

- Jonathan Kline   

Securely signing release packages is not an easy undertaking, Kline says, but particularly in light of the SolarWinds breach, it remains an altogether security-crucial aspect of software development and software release, if the industry is to protect itself from another SolarWinds, that is.

Scott Shadley, Vice President of Marketing at NGD Systems, a manufacturer of state-of-the-art computational storage drives (CSDs) and also a Trenton Systems technology partner, explained how NGD's drives can protect your sensitive data.

Our CSDs actually leverage the security protocols of self-encrypting data. The benefit is, since we have an OS inside the drive, we can read, decrypt, work on, modify, encrypt, and store the data on the drive without any external access to it. There's no movement outside the device itself. We can then provide results and value from the raw encrypted and stored data on the drive to the user without risking any leak of data from the drive itself.

So, to put this into perspective, a stream of data, such as video from a drone, is stored in real-time on the device using an encryption key. The data is then analyzed by the local OS on the CSD from NGD Systems to identify the target of the video stream. The raw data is secure on the drive, but the image or results needed by the host to make value of that data is sent off the drive, encrypted. So, the raw data is 100-percent secure from the moment it's captured.

- Scott Shadley 

Check out these other great resources for more preventative measures:

  1. How Malicious Software Updates Endanger Everyone
  2. The SolarWinds Sunburst Attack: How to Protect Yourself from 5th Generation Cyberattacks
  3. Detection Is Better Than Cure: Seeing and Preventing Supply Chain Attacks

Graphic: Trenton Systems partners with Star Lab, a Wind River company, and Futura Cyber to help protect its rugged servers and workstations from common software and hardware attacks.

Conclusion: Trenton Systems' Team of Trust

Trenton Systems partners with leading cybersecurity and secure data storage companies, like Star Lab, a Wind River company, FUTURA Cyber, and NGD Systems, that excel in both hardware and software security protections that help protect against malicious attackers. We also have our own cybersecurity protections in place, creating quite the expansive team trust for our customers.

Star Lab’s Titanium Security Suite boasts the most robust Linux operating-system hardening and security capabilities available on the market. Designed using a threat model that assumes an attacker has already gained root or administrative access to a system, the suite still maintains the integrity and confidentiality of critical applications, data, and configurations while also assuring field and operational success.

FUTURA Cyber’s drive security manager (DSM) for FIPS-140-2 self-encrypting drives (SEDs) helps businesses, agencies, and organizations centrally, efficiently, and securely manage and store cryptographic keys and policies to better protect data at rest.

NGD Systems' CSDs can process data internally, where data is encrypted, rather than having to unencrypt it and transfer the data across the bus, where it could be intercepted.

Furthermore, Trenton Systems is currently working toward obtaining its Cybersecurity Maturity Model Certification (CMMC) for the protection of controlled unclassified information (CUI) through the Office of the Under Secretary of Defense for Acquisition & Sustainment. We also take DFARS-compliance very seriously and are continuously managing our adherence, implementing new and innovative ways to protect your sensitive data, and mitigating the potential impact of supply chain attacks internally.

For more information about our cybersecurity practices and the measures we’re taking to help secure your data, feel free to reach out to us.