Roughly 198 organizations, overall, were hacked using the SolarWind backdoor, according to Allan Liska, a threat analyst at Recorded Future. Source: Bloomberg
Teknologize CEO, Byron Martin and CTO, Dan Morgan sit down and provide an update to the recent SolarWinds Orion Hack.
Recap: The SolarWinds Orion supply chain breach
- SolarWinds Orion is a premier network management tool, with over 300,000 customers worldwide.
- Believed to have been a nation sponsored hacking group that embedded a back-door access into a SolarWinds Orion update from March 2020 to June 2020. Anyone installing this update would have installed malware unknowingly. This was just discovered last month.
- No one knew about this breach for months until FireEye realized they were breached and during their investigation they discovered the source was SolarWinds.
- No tools caught this breach. An Engineer at FireEye noticed movement on their internal website that was unusual and that is what prompted an investigation.
- This breach is unique and alarming because they infiltrated the supply chain which then infiltrated so many organizations, government and private.
What organizations were impacted by the SolarWinds breach?
Some of the Government agencies breached with known malicious activity:
- DOJ email server, the State Department, the Treasury Department, Department of Homeland Security, Department of Energy, Los Alamos and Sandia National Laboratories, National Nuclear Security Administration, the National Institutes of Health, Florida State Healthcare Administration
Some of the Corporate Entities:
- FireEye, Microsoft, Cisco, Intel, VMware, Nvidia
If organizations installed the SUNBURST or SUPERNOVA security patch does this make them ok?
- Anything SolarWinds Orion touched, is recommended to have it decommissioned and rebuilt.
- At a minimum, change all passwords.
The need for an Incident Response Plan
Cybersecurity is not just the tools and programs we put in place to help protect and prevent a breach, but it is also having an incident response plan in place if there is a breach, practicing that plan, involving all departments, and ongoing review and training.
Expect a breach to happen. Yes, we need to mitigate threats as much as we can, do everything we can to secure our organizations, and additionally have an Incident Response Plan in place in the event a cyber incident occurs.
What does an Incident Response Plan entail?
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-incident Activity
Why is this SolarWinds breach matters to everyone, small businesses, even “the normal guy”
A supply chain attack occurs when someone intrudes your system through an outside partner or provider with access to your systems and data, in this case, a software update. This attack can affect all the supplier’s customers. Often hacker groups will find out who is your supply chain specifically to get to a company down the line.
- Who is in your supply chain? What vendors do you use?
- And who in that supply chain uses SolarWinds?
- High likelihood that someone in your supply chain was impacted by this breach.
- Most business use Microsoft software and they had their source code breached.
The reality is, it will likely take years to realize who all will be impacted and the full extent of this impact. Took roughly a year to discover the breach and it will likely take multiple years to discover the extent of the damage done, and some of that damage can’t be undone.
Dan Morgan: “every small and medium sized business is probably impacted in some way. As long as you use a computer, or the network, or the internet, you were probably compromised in some way.
Byron Martin: “Dan, I think that’s everybody.”
What are some things we can do?
Hackers have multiple agendas. Typically, money, to steel your data, and to see whose data you have access to.
- Vendor due diligence. Know exactly who touches your network.
- Create a list of who you buy from. What software or hardware you use; anything and everything connected to your network.
- What Professional services that has access to your network. Potentially, accounting, HVAC, IT Providers, medical devices vendor, etc.
- Have a third party assess your network. Look at any deficiencies or exposure in your network and how you can make it more secure.
Teknologize has clients throughout the Pacific Northwest with offices located in the Tri-Cities and Yakima, Washington 509.396.6640 and Bend, Oregon 541.848.6072.