top of page

Coverage On The Great “Sunburst” Cyber Attack



INTRODUCTION

It is being called one of the most serious cyber attacks to have ever occurred. The “Sunburst” cyber attack has compromised several U.S. government agencies, the American private sector, research institutions, and possibly the assets of other foreign countries. CISA, the U.S. Cybersecurity and Infrastructure Agency, cautions that the wide-span numerous intrusions are “highly complex and challenging” for any party to address. As the “Sunburst” attack becomes more well-known, many of the large-scale compromises are yet to be discovered. The main questions surrounding the event:

  • Who is already affected by “Sunburst” and who is yet to be?

  • Who is to blame for such a large-scale and damaging cyber attack?

  • What is currently being done to control the attack and mitigate the damage done?

This basic coverage of the “Sunburst” incident seeks to provide a breakdown of the many components to this attack and information on the involved parties.


FIRST INCIDENTS: THE SOLARWINDS CYBER ATTACK

Starting from the beginning is the SolarWinds cyber attack (technically a part of the overall “Sunburst” attack). SolarWinds is a software management company that helps businesses manage their networks, systems, and IT. Catering to more than 300,000 customers worldwide, SolarWinds is an American company that creates a range of IT support products. According to infosec blogger Graham Cluley (grahamcluley.com), whose article sums up the incident: “Up to 18,000 SolarWinds customers installed poisoned update that could allow state-sponsored attack”. As Cluley stated, 18,000 SolarWind customers downloaded malicious versions of Orion “updates” which allowed the cybercriminal(s) to gain backdoor access to networks and to take over servers that the Orion products ran on.


Adversaries compromised the build system for Orion Platform products by SolarWinds, inserting malware that persisted in the products from March to June of 2020. SolarWinds customers unknowingly downloaded new (malicious) software updates when prompted by the cybercriminal(s) in pop-up messages.


SolarWinds released a statement describing the attack as a “highly sophisticated, targeted, and manual supply chain attack by an outside nation state”. Not all vulnerabilities have been exploited by the attacker(s), but there are many well-known organizations and government agencies that have reported activity of the intrusions. As a company that caters to numerous lucrative parties, it is at least definite to confirm that SolarWinds itself was not the actual target, but served as a jumping-off point for the attacker(s) to gain entry to other systems in a “supply chain stratagem”.


WHAT IS A SUPPLY CHAIN CYBER ATTACK

According to csoonline.com, a supply chain cyber attack is:

“when someone infiltrates your system through an outside partner or provider with access to your systems and data”.

Service providers are enterprises that provide the service of internet connection for users and other organizations. Nowadays, since service providers and other types of vendors (such as the SolarWinds software company) are handling more and more critical information, adversaries may view it as easier to attack one of these vendors to gain access to their real targets (such as specific users or organizations that are clients to a third party vendor).


GOVERNMENT SECTOR COMPROMISES

From the SolarWinds attack, the following list of U.S. government agencies are publicly known to be affected:

  • Department of Commerce

  • Department of Treasury

  • State Department

  • Department of Homeland Security

  • The Pentagon

FireEye, a cybersecurity company, discovered that U.S. government agencies were compromised only after discovering that the security firm itself was breached. According to Reuters, U.S. government communications is the main aspect of the breach to be disclosed to the public. It is reported that the cybercriminal(s) were able to monitor emails sent by personnel from the Department of Homeland Security. However, in escalating gravity, The Department of Energy, which controls the national nuclear arsenal, reported finding suspicious activity within the networks of the Federal Energy Regulatory Commission, Sandia and Los Alamos national laboratories, its Richland Field Office, and the Office of Secure Transportation at NNSA.


It is unknown what information was exactly perceptible to the cybercriminal(s), as well as its level of sensitivity (whether it be confidential, secret, or top secret) and what actions the adversaries had already taken with the information that has been compromised. What can only be assumed is that the wide-scale reach of this attack must not have been as apparent to the adversaries as imagined, for the evidence available to the public indicates that the adversaries focused most of their time and resources on exploiting the U.S. government.

Of bbc.com, cyber reporter Joe Tidy rightly predicts that it will take months for organizations -both private and public- to figure out what sensitive information was stolen, viewed, modified, etc.


PRIVATE SECTOR INTRUSIONS

In a statement released on Thursday of December 17th, Microsoft revealed itself to be a victim of the SolarWinds supply chain attack. Another tech giant, Cisco Systems (a networking hardware company) also released in an official statement that their internal machines were targeted by the SolarWinds adversaries, according to Bloomberg.

Help Net Security (an information security news and material outlet) provided on Twitter a breakdown of percentages of the types of SolarWinds victims targeted by sector:


According to the chart, more than 40% of victims were classified as Information Technology companies, while government agencies and think tanks/NGOs were the next greatest target categories at 18%. Microsoft is one of the biggest names to be dropped when mentioning the SolarWinds attack, but according to dw.com, SolarWinds enlists 425 of the Fortune 500 companies to have used its ill-affected software. Whether or not these companies’ vulnerabilities were exploited by the cybercriminal(s) is hard to determine, but the following is part of the list of big names that SolarWinds is known to have catered to (obtained from dw.com):


Obtained from dw.com


Since the attack, SolarWinds has removed its list of customers from its website to understandably try to lessen the panic or speculation surrounding these companies after the breach:


OTHER NATIONS AT RISK

It is reported that German private organizations and the German government have used SolarWinds’ compromised software, but as of currently, the German Federal Office for Information Security (BSI) disclosed in an official statement that the quantity of people affected is low in comparison. Microsoft, in its own report of the attack, mentioned victims of the SolarWinds also belonging to Mexico, Israel, Canada, Spain, Belgium, the United Arab Emirates, and the UK (in the 11% category of ‘other’ sector targets). While American companies appear to be the primary target, the number of intrusions worldwide may be unprecedented. Microsoft’s President, Brad Smith, has warned that the attack is growing and is likely to compromise foreign entities even without connections to U.S. companies or the U.S. government.


WHO IS TO BLAME

As for the group of cybercriminals or individuals responsible for the “Sunburst” cyber attack, there has been much speculation that a group of Russian cybercriminals or Russian nation-state hackers are behind the incidents. This act, and all other claims of Russia’s malicious cyber activity, have been officially denounced by the U.S. Russian Embassy with a statement made on Facebook. According to bbc.com, FireEye itself accuses the Russian government team,“Cosy Bear”, to be specifically behind SolarWinds or the full “Sunburst” operation. The U.S. government has not officially named Russia as responsible for the Sunburst cyber attack, although individuals from U.S. politics, government, and private organizations have already taken the stance of SolarWinds being a “Russian attack”. For now though, investigations continue to identify the adversaries.


WHAT IS BEING DONE & SUGGESTIONS FOR PARTIES

Of course, the common advice is for all agencies, companies, and users to continue performing security patches to try to mitigate the vulnerabilities that the adversaries have planted. It is necessary that all organizations review their vulnerabilities to determine whether or not they have been exploited as of yet, as well as to continue analyzing their systems for suspicious activity. Along with other fair warnings, Germany’s Federal Office for Information Security (BSI) advocates parties to rely less on supply chains for services. After seeing the widespread damages that can be caused from depending too much on separate vendors, it is highly possible that organizations and users could make the change to higher internal sourcing.


For the current handling of all incidents, CISA (the U.S. Cybersecurity and Infrastructure Agency) has released an emergency order for all affected parties to immediately disconnect or power down the SolarWinds Orion versions available from 2019 to 2020. Most organizations are reportedly following CISA’s recommendations, but for those that are not, it should be known that the standards of integrity and responsibility in incident-handling start at reviewing CISA’s Emergency Directive 21-01.


CONCLUSION

From the ongoing severity of the “Sunburst Incident”, there are many lessons to be learned moving forward for the new year and the new decade ahead. Many could argue that things could not be worse after suffering a mass pandemic and now a large-scale cyber attack in both the public and private sector. However, it is important to remind all individuals to stay strong in the face of adversity. For all personnel working to mitigate this serious attack, the greatest support is extended to you and your efforts.


SOURCES



bottom of page