SolarWinds hack illustrates the wide-ranging risks of supply chain cyber threats
Advisen
SolarWinds hack illustrates the wide-ranging risks of supply chain cyber threats
By Erin Ayers, Advisen
A monthslong cyber espionage campaign aimed at the U.S. government has stunned security experts and organizations and the hack offers yet another example – on a much grander scale – of third-party cyber risk and the vulnerability of digital supply chains.
According to reports, “incredibly sophisticated” cyber espionage operatives infiltrated SolarWinds, a network monitoring software provider with over 300,000 clients including the U.S government and over 400 of the Fortune 500 companies. Sometime in March or April, the firm revealed in a regulatory filing, state-sponsored threat actors created a backdoor into SolarWinds’ Orion software product to gain unauthorized surveillance access. SolarWinds alerted 33,000 Orion customers of the breach, but it estimated that fewer than 18,000 customers unwittingly downloaded the vulnerability via a software update.
Multiple new outlets and security teams have attributed the attack to elite Russian hackers, specifically the “Cozy Bear” or APT29 operatives that have also been cited as conducting last week’s cyberattack on security firm FireEye. FireEye reported this week the two events appear connected and cited “multiple organizations where we see indications of compromise.” Russia has denied responsibility for the spying campaign.
Experts say the goal appears to have been intelligence-gathering rather than destructive attacks, but the ultimate impact of the breach remains to be seen. In addition to infiltrating the U.S. Treasury and Commerce Departments, the National Institutes of Health and the State Department, investigations are underway to determine the impact on private companies using SolarWinds’ products.
“This was quite a breach. It once again shows how vulnerable we all are regardless of the level of sophistication of the target company,” said Adam Levin, founder and chairman of CyberScout LLC. The cyber event also emphasizes the need for vendor cyber risk management, a lesson dating all the way back to Target’s 2013 data breach. A heating, ventilation, and air conditioning contractor inadvertently let data thieves sneak into the giant retailer’s systems.
“You are your vendor. Never underestimate the damage that can be done to your organization by a vendor that has been careless with their privacy and their security,” said Levin. Other recent breaches including nonprofit services provider Blackbaud and medical debt collection agency AMCA offer further lessons on how an event at one company can spiral throughout its customer base.
“Don’t think, ‘nobody’s going to come after me,’” Levin said. “Sometimes it’s not who they are, it’s with whom they have a relationship. It might be that you’re a tributary to a larger river, and they have their eye on the larger river. When you look in the mirror, you look like you. To a hacker, you might look like Beyonce and Jay-Z.”
In the case of SolarWinds, cyber spies likely saw an opportunity for infiltration last spring as the COVID-19 pandemic expanded around the world and the government’s cyber focus turned to election security.
“This is the hallmark of all hackers, but these folks are the best of the best. They thrive in an environment where people are distracted,” said Levin. “You’re talking about weaponized, well resourced, extremely persistent super-professionals who are coming after us.”
For the U.S. government, the hack threatens national security and demands a greater focus on cyber defenses. A Government Accountability Office report issued this week revealed that very few federal agencies have acted on managing their supply chain risks.
For the private sector, a break in the digital supply chain could be an “extinction-level event,” according to Levin. Vendor risk should be on the radar of any organization, with stringent security standards built into contracts and a close eye on how cyber insurance policies respond to third-party breaches.
Internally, organizations need to be stress-testing their incident response plans, training employees, and requiring multi-factor authentication to ensure that anyone accessing company systems has the authority to do so.
“This is the perfect storm and we’re all in the middle of it. We really have to take a breath and step up our game,” said Levin. “Breaches have become the third certainty in life behind death and taxes. If you know you’re coming for you, then you should be building your walls higher and your defenses better.”
