The stakes of cyberwarfare continue to rise, but it might take a few years to beat 2020’s hack of the year.
Until recently the largest hacks in history have focused on one target organization. Adobe, Canva, eBay, Equifax, Heartland Payment Systems, LinkedIn, Marriott International, My Fitness Pal, NetEase, Zynga… there are some Fortune 100 companies on this notorious list, but none of them — in fact not even the whole list comes close in size and stature to the biggest hack of 2020.
The Largest Hack in History
On Saturday, December 12, 2020 an emergency meeting of the National Security Council was held to discuss a breach of multiple government agencies, as well as private US businesses. In this case the target of the hack was none of these agencies or businesses in particular, but SolarWinds, a IT software provider with a market capitalization of $5 – 10 B comprised of clients focused in North America with international reach.
The attack had inserted a vulnerability into the SolarWinds Orion®️ Platform during the build process in late 2019. Then between March and June that same vulnerability was updated to approximately 18,000 Orion clients, including:
- The US National Nuclear Security Administration
- US Treasury Department
- California Department of State Hospitals
- US Department of Commerce
- Cox Communications
- US Department of Defense
- Belkin International
18,000 organizations that downloaded the malware suffered no further action; however, the hacker org communicated with 1,000 of the breached targets including those listed above, delivering commands and receiving information via a “command and control” server.
Soon after SolarWinds became aware of the malware authorities were able to identify the originating server and shut it down. The vulnerability had been in place for months providing ample opportunity to access information and impact systems. The timeline gives rise to serious questions about the information that had been bled from Orion customers, as well as the intent of the attacker.
As can be seen in the small sample provided above, there were two primary targets: government and IT / technology companies, though the full list had a wide distribution of international companies across telecom, energy, Oil & Gas sectors, and more. The shorter list of entities selected for espionage suggests a few hypotheses about the attacker org.
- The long timeline, large scale, high-profile government targets and lack of ransom or financial intent suggests a state-controlled entity, or at the very least a very well funded enterprise with
- After further inspection cybersecurity company Kaspersky identified similarities between the malware used in the attack and prior malware used by Turla, an org that Estonian authorities claim operates out of Russia’s Federal Security Service of the Russian Federation (FSB RF)
- A number of top US officials voiced suspicions that Russia’s APT29 (AKA Cozy Bear) was behind the hack. Though Russian President Putin denied the allegation, numerous US agencies formally accused Russia, including the FBI, the Office of the Director of National Intelligence (ODNI), The National Security Agency (NSA), and the Cybersecurity and Infrastructure Security Agency (CISA)
What We Learned from the SolarWinds Hack
In recent years we have seen increased use of IT providers to leapfrog into their customer’s systems. Therefore, every IT provider needs to be extremely cautious when approaching its own cyber security program.
Because this attack compromised SolarWinds’ build system, Platte River Networks has investigated our own build system to ensure that we are clear of threat. So far we have found no evidence of infection. We will continue to monitor our build system in the future to ensure we maintain our 100% track record of keeping our clients safe and secure.