The SolarWinds Hack

Blog post by Mel Hughes

“The [SolarWinds] attacks show that the hackers were able to find a glaring loophole affecting both private and public sectors, and they had access to potentially exploit a huge number of companies and government departments. But they also indicate that, whoever the attackers were, they only chose to steal data from a selection of thousands of victims, even where they had the chance to steal data from some of the world’s biggest businesses.”

SolarWinds has commented that the number of customers who might be affected by the attacks could be as high as 18,000. Other publications are parroting US Secretary of State Mike Pompeo by announcing that the perpetrator was “Russia.” Apart from the fact that “Russia” and “Russians” are nebulous entities, experience over the past ten years has taught cybersecurity professionals that it is common for the identity of attackers to be masked, making it quite possible for the attackers to be the Chinese Communist Party, the Iranian government, or any of a number of foreign threat actors – possibly even internal threat actors. What we do know for certain is that – due to the fact the compromise went undetected for at least five months – data within these networks, user IDs, passwords, financial records, source code, and much more, can be presumed now to be in the hands of threat actors, foreign or domestic. Concurrently, normal hacker protocol would see viruses, logic bombs, worms, and any form of malware deposited for future release.

Following is a selection of the major US agencies and firms which were reportedly breached:

  • Department of State, which was – purportedly – first hacked by Russian threat actors in 2014.
  • Department of Homeland Security, which – via the Cybersecurity & Infrastructure Security Agency – oversaw the supposedly secure 2020 US Presidential election.
  • National Institutes of Health, hosted by the Department of Health & Human Services where reports had emerged during Summer 2020 that the SVR RF, the Foreign Intelligence Service of the Russian Federation, had targeted COVID-19 vaccine research.
  • The Pentagon, where parts of the Department of Defense HQ were breached.
  • Department of Energy which includes the National Nuclear Security Administration, suffered a breach which was claimed to be “…isolated to business networks only;” DoE advise the breach did not impact national security functions of the Department, including management of nuclear weapons stockpile.
  • Department of the Treasury was among the first confirmed breaches of the federal government, wherein hackers were reportedly spying on internal emails, the extent of which was unknown as of January 4, 2021.
  • Department of Commerce, with similar reports to the Treasury.
  • State and local governments:  Bloomberg reports that at least three as yet un-named State governments were attacked. As a side note, The Intercept reported that the network of the city of Austin, Texas was breached.
  • Microsoft advised that as of January 30, 2020, it was in touch with 40 customers who were breached and their data potentially exposed. Most customers were based in the US, but others were worldwide, from Mexico to the UK.

As reported by Forbes on January 6, 2021, while there’s plenty of anxiety around the sensitivity of the data already stolen from victims’ networks, there’s even greater concern about any compromise of the critical infrastructure industry, of which GE is one of the biggest service providers in world. In late December 2020, Rob Lee, founder of Dragos Security (protecting industrial control and critical infrastructure networks) made the crucial observation that, “In the world of industrial infrastructure our most sensitive networks… are often connected to many integrators, vendors and others for maintenance and support. Some of those vendors were using SolarWinds with or without the industrial company’s knowledge.” Lee went on to suggest that “…numerous customers…have…claimed to not have SolarWinds [only] to find out over the next few days that they did, and the compromised version was present in their environment.”

Over the past 15 years, Alcea Technologies has developed competitively priced, user-friendly risk assessment, risk mitigation, risk management, standards compliance, and governance software for most industry verticals and lines of business horizontals. Recently, Alcea has developed software variants which address IT security, cybersecurity, and cyber supply chain risk, all of which are critical to the management of situations such as the SolarWinds breaches.

Alcea can help you prepare for cyber security breaches while planning to mitigate against future attacks. Ask for a no-obligation demo of RiskMgr, configured to your unique workflow, to see how it can help you: