In December 2020, the world witnessed an extremely intricate cyberattack targeting SolarWinds Orion software patches. This alarming attack impacted federal agencies and organizations across the globe, leaving some scrambling to remediate the effects while others rushed to implement mitigation strategies to prevent supply chain compromise.
In April 2021, the New York State Department of Financial Services (NYDFS) issued the SolarWinds Cyber Espionage Attack and Institutions’ Response report that investigated the remediation and response strategies implemented by nearly 100 NYDFS-regulated organizations that fell victim to this attack. We’ve analyzed this report and detail the key takeaways that organizations should understand to bolster their supply chain risk management initiatives and mitigate vendor risk.
SolarWinds Attack Explained
SolarWinds is a cybersecurity company with over 300,000 customers around the world—including more than 425 of the U.S. Fortune 500 companies, all five branches of the U.S. military, and the Office of the President of the United States. Orion is a SolarWinds product that monitors and manages the performances of organization networks, systems, and applications through a single-window or application.
SolarWinds was attacked by Russian intelligence actors known as Cozy Bear or APT29, who focused on stealth and stealing sensitive information. In September 2019, these hackers attacked SolarWinds by installing malware called Sunburst into the Orion software.
Between March and June of 2020, Orion unknowingly distributed corrupted updates to customers across the globe. The hackers then deleted the malware from the Orion system, but it remained undetected in their customers’ systems. In December 2020, FireEye, a cybersecurity company, alerted SolarWinds to the presence of Sunburst in some systems of Orion. SolarWinds then released patches to delete this malware from their software. On December 24, they discovered another vulnerability called Supernova in some versions of Orion. They then released another patch to eliminate both forms of malware.
NYDFS & Organization Response to Supply Chain Compromise
The attack prompted the NYDFS to respond to the crisis by publishing a Supply Chain Compromise Alert. This instructed all NYDFS-regulated organizations to notify NYDFS if they used the infected version of the Orion. These organizations were advised to check their system integrity and audit logs to search for indicators of compromise.
Each organization responded to the SolarWinds attack differently, using methods such as:
- Applying patches to eliminate the affected systems
- Blocking the affected system by barring the internet
- Decommissioning Orion and opting for other monitoring products
- Disconnecting the affected systems from their networks
- Using mitigation strategies on the affected systems
Other Notable Takeaways
- Financial services organizations weren’t the main target for the exploitation
- About 94% of the those affected disconnected the vulnerable components from their systems, while some patched them within three days
- Several NYDFS-regulated organizations have immature patch management programs, making them extremely vulnerable to cyberattacks
How to Mitigate Supply Chain Risk
Thorough third-party assessment is essential when considering supply chain risk management. The NYDFS discovered that some organizations using Orion didn’t consider SolarWinds a critical vendor, even though Orion could access their network. This cyberattack further revealed a lack of transparency between organizations and vendors regarding the vendor’s cybersecurity controls.
The NYDFS highlighted actionable strategies organizations should take to reduce their risk of supply chain attacks.
Maintain Heavy Scrutiny of Vendors
Organizations should adopt a zero-trust approach. They must assume that every third-party service provider or software installation could be compromised or used to attack their systems.
Access Limitation
Limit access to only what’s required and monitor systems for any malicious activity.
A Layered Approach
Organizations should implement multiple layers of security to protect confidential data. Implementing these layers will help detect and prevent successful intrusion if one layer becomes compromised.
Vulnerability Management
Vulnerability management programs should prioritize patch testing, deployment, and validation processes. These should state which system must be patched and prioritize what should be fixed first. Organizations that use Orion must ensure they’ve implemented the recent version that eliminated Supernova and Sunburst vulnerabilities.
Incident Response
Supply chain management must be included in any incident response plan. Procedures should be updated based on lessons learned from disruptive events, and organizations should archive audit and system logs, rebuild from backups resulting from the attacks, and isolate affected systems.
Conclusion
Technology is evolving rapidly, and cyberattacks are becoming more sophisticated and harder to detect. Supply chain attacks are dangerous, since they allow hackers to access networks of several organizations at once. The SolarWinds attack is a stark example of a disruption spurred by unknown gaps and actors in a cybersecurity environment. Organizations must scrutinize their cybersecurity protocols and implement sound practices to mitigate their risk of a supply chain attack.
