Sophos: Impact of Massive SolarWinds Software Hack Still Unfolding

The success of the SolarWinds software hack gave threat actors wide-ranging access to corporate and governmental information systems.

It’s already resulted in as-yet uncalculated volumes of data theft. And it’s raising concerns the attackers have inserted other backdoors into enterprise networks yet to be discovered.

That’s according to a new report by SophosLabs. Cisco also has been targeted in the SolarWinds software hack. And Microsoft has discovered a second hacking group that was also targeting SolarWinds software.

The malicious hackers inserted Sunburst malware into SolarWinds‘ Orion software updates sent to nearly 18,000 customers. It was in updates released between March and June of this year.

This led to security breaches at numerous U.S. government agencies. Specifically, the attackers breached the National Telecommunications and Information Administration (NTIA), the Department of Homeland Security (DHS) and more. The attackers also breached SolarWinds’ corporate clients.

Growing List of Victims

According to ZDNet, the list of organizations infected with Sunburst malware includes Cisco, SAP, Intel, Cox Communications, Deloitte, Nvidia, Fujitsu, Belkin, Amerisafe, Lukoil, Rakuten, Check Point, Optimizely, Digital Reach, and Digital Sense.

The Cozy Bear hacking group, which U.S. authorities suggest gets backing from Russian state intelligence, likely performed the SolarWinds software hack.

Based on SophosLabs’ analysis, Sunburst used a compromised software component to use SolarWinds’ Orion to detect, and in some cases, attempt to disable defensive software running on targeted systems.

Sean Gallagher is senior threat researcher at Sophos. He said the threat actors wanted to trip as few alarms as possible in their intrusion.

Sophos’ Sean Gallagher

“Defenders need to be on guard for future efforts to evade targeted defenses in this manner, through close monitoring of accounts, unusual activity and human threat hunting, as well as by working with vendors to find more robust ways to ensure the security of the supply chain of their critical software,” he said. “But they should not do this at the expense of watching for more ‘normal’ attacks, including the ongoing ransomware campaigns that show no sign of slowing down.”

SolarWinds customers should look at the variety of published indicators of compromise and check their own systems, Gallagher said.

Day-to-Day Ransomware a Bigger Threat

Attacks like Sunburst require the compromise of a key component of the security chain. In this case, it was the software supply chain of a trusted vendor.

“Being vigilant to unusual network behavior and auditing administrative level accounts regularly are good ways to detect these attacks before they can do damage, as is having a diversity and depth of defenses,” Gallagher said. “Sunburst looked for very specific defensive tools to disable and evade detection. But honestly, defending against the efforts of a state actor isn’t what most people have to worry about. And everyday attackers need the same level of vigilance and attention to security configuration.”

The bigger threat for most organizations is the day-to-day ransomware and other malware attacks, he said.

“If you can’t defend against them, you certainly can’t defend against a Sunburst,” Gallagher said.