On December 13, 2020, the US Government announced a major cyberattack on the US Treasury and Commerce departments. When you are a US government department, smaller hackers don’t stand a chance against the routine security procedures of these organizations. These were large scale sophisticated attacks that took months and likely dozens if not hundreds of people to successfully orchestrate. When you are the size and scale of the US Treasury, you attract the attention of other countries. Only foreign state agents with millions of dollars to spend and the number of employees to spend months carefully hacking will have a chance at a successful attack. The most likely candidate is Russia but other contenders include China, Iran, and North Korea.
The Attack Vector
Media reports are mixed with NPR saying “the hackers reportedly broke into the email systems at those two government departments.” Most other reports are calling this a “supply chain attack.” What is a “supply chain attack”? A “Supply Chain Attack” (SCA) targets less secure elements in an organization’s supply chain. Instead of immediately trying to get into the email or financial systems, an SCA will try to enter through a less secure path and then sit and wait while it collects information. For example the hackers in the Target attack were able to hack into an aquarium (yes, a fish tank) in Target’s corporate offices. While the acquarium isn’t part of the retailer’s supply chain, the name of the attack still applies.
In the case of the US Treasury attack, the attack vector was through a third party provider, SolarWinds. SolarWinds provides IT management services to the US Government including the US Treasury, the US Department of Commerce, the National Security Administration (NSA), the Department of Homeland Security, and all the branches of the US military: Army, Air Force, Navy, and Marines. Other clients include Ford, Microsoft and AT&T. So this may not be over soon.
Instead of directly hacking into government systems, the hackers chose to target SolarWinds. They somehow managed to get access to SolarWinds code repository and insert their own code base into that repository. For some time now, whenever SolarWinds sent out a software update to all its clients, that update included the attack software (which has been named “SUNBURST” by the cybercommunity). SUNBURST was part of every SolarWind software release from March 2020 until it was revealed yesterday.
SolarWinds is a private company valued in excess of $4.5B USD and with sales in excess of $500M USD per year. The US Government has directed all government agencies to immediately turn off SolarWinds software. Certainly this is an embarrassment to SolarWinds and its owners, and points to lapses of security within the company. There will be a financial cost to SolarWinds and a lot of worry within government circles. It will never be known what state or trade secrets were exfiltrated by the hackers.
Lessons for Smaller Businesses
While few of our businesses will ever be large enough to attract the attention of state actors of cyberterrorism, the story should remind us not to take security lightly. The software we let into our businesses should be vetted as thoroughly as the employees we hire. Although SolarWinds has some very large clients, they have also be advertising to Atlas Solutions to take us on as a client as well (we didn’t accept).
While there is never a guarantee that a system can’t be hacked or that software doesn’t have vulnerabilities, there are factors to consider in choosing software that is likely to be safer:
- What is the company’s security stance or policy? Do they have a documented security practice on their website?
Some companies are so focused on profit and cash flow and only add in security when a weakness is noticed. Others, like Google, build software knowing that their future brand and customer base are counting on them to be secure. One thing to ask for is their SOC2 or SOC3 independent compliance audit. If it is software that is critical to your organization, ask for this certification.
- How long has the company been around? How big are they?
While age isn’t the only determinant, it is an important one. Software vendors should have enough maturity to have weathered a few crises and still maintain their business.
- Are they too big?
Size is a tricky one. SolarWinds was large–I would say too large. Large software vendors attract large predators and they give preferential treatment to their large clients over their smaller ones. While I don’t recommend putting all your eggs into a new start-up, I also advise caution when dealing with larger companies.
- What is their market share?
Related to this is the percentage of market share than a vendor has. There are many more viruses written for Microsoft Windows than for Apple Macintosh. Why is this? Simple: with about 77% of market share, writing a virus to infect Windows will get you about 3 times the infection rate as writing viruses for OSX. Similarly, with most of the world using Zoom as their video conferencing platform (about 36%), hackers will be trying to attack Zoom instead of products with lower adoption.
- What does a Web Search reveal about them?
A quick search can find reports of software problems and previous security issues. Sudden changes in a company’s ownership, or management team can also indicate either past problems or new ones. Also, publicly traded companies tend to be more sensitive to media reports and shareholder concerns than privately held ones.
*Disclaimer: This report was written shortly after the attack was announced and is based on information provided by NPR News and reports from the US Cybersecurity and Infrastructure Security Agency (CISA). As further details and analysis is uncovered, additional details and information may be forthcoming. Please review any updated news reports for any update of the actual incident analysis of this breach.