SolarWinds Hack: Retrospective 2
Part 2: What caused the breach and what does the malware do?
What caused the breach?
Attackers inserted malicious software into a SolarWinds software update.
What is SolarWinds?
SolarWinds is a system used by large corporations to monitor any application and any server, anywhere.
If SolarWinds monitors anything, anywhere, why didn’t it spot the malware?
Once the malware embedded itself in the system, I’m guessing it excluded logs related to its own activities from the monitoring system itself. Given the sophisticated nature of this attack, it seems like the obvious thing to do. Once it obtained access to other resources on the network it may have also deleted or altered other system logs.
How could the attackers insert malicious code into the software?
Companies build and package software in many different ways, but typically the code starts in an environment where developers write the code. Then it passes to the Quality Assurance (QA) team that tests the code. Once the QA team approves the code, it moves to production and is publicly available. There are many ways in which code could be inserted into a less-than-secure deployment system.
In September 2020, a hacker offered a Russian-speaking Tesla employee one million dollars to install malware to execute a ransomware attack against the company. How much do you think someone would pay to insert malicious code into the SolarWinds product? Even if the insider does not receive payment directly, they could sell data or system access or information about the vulnerability so that others could use it later.
At some point in this process, someone may have altered the code. Some companies are not very careful with their development process and allow alteration of code in QA…