SolarWinds Blowing in a Disasterous Storm?

Published in

ZeroGuard

5 min readDec 23, 2020

On 8 December 2020, cyber security businesses and government institutions alike were rocked by the news that FireEye, a $3.5 billion company with high profile clients such as Equifax and Sony (to name a scant few) was hacked in the biggest known theft of cyber security tools since the The Shadow Brokers attack on the National Security Agency.

At the time little was known the breach, but it has since escalated to a shitstorm of finger pointing and the CYA blame game, with SolarWinds taking the brunt of it. Links at the bottom of this article will provide many more details of how the incident has escalated as well as insiders’ comments and reactions.

Customers Affected

To give an idea of the magnitude of this breach, here are some of the companies and organizations potentially and/or confirmed to be affected by the breach (and the list keeps growing) as of December 16, 2020:

425+ of the US Fortune 500 companies
The top US telecommunications companies and accounting firms
All 5 branches of the US military
The DOJ, postal service and the Office of POTUS

Much like making the mistake of buying a console game immediately upon launch (are you listening, CyperPunk?), often the best path to take on discussing a hot topic like this breach is to hold back until the dust settles, the noise is filtered and the information pouring in becomes more concrete. Taking a stand from the initial hearsay can come back and bite one in the ass, despite the temptation and the chance to peddle one’s own wares.

In the weeks since the incident was first publicly disclosed, the situation has escalated exponentially, making it difficult for both insiders and outsiders of the cyber security industry to grasp what exactly is happening. The situation is further convoluted by the sheer amount of people on both sides of the fence weighing in with hasty judgements. So it is very important to take a measured look at what has happened so far; to separate the facts from the hearsay, the wheat from the chaff if you will.

What we do know

SolarWinds were warned earlier this year of a possible attack against one of its servers that could be used to distribute malware. Reports state that this attack, which used some of the well known and easily detected malware such as Cobalt Strike, wasn’t particularly advanced at the time, but was available because of vulnerabilities exposed due to poor security protocol.

Sure enough, for the 8 December attack it came to light that the many customers had not followed best practices of isolation in their SolarWinds deployment and monitoring. Had they followed the proper procedures, it is possible this hack may have been contained better than it was. However, it isn’t as simple as that. The attackers used sophisticated and novel attack vectors like adding malware to a patch file which was then distributed as a “legit” patch signed by SolarWinds making everything look status quo to the average user.

That still doesn’t excuse the vendor for pushing out tainted updates, but with people’s general lack of knowledge of how cyber security works it’s understandable why this hack ran rampant for as long and for as effectively as it did.

The response and feedback of previous SolarWind employees, including those high up in the management chain, mention that SW (and many other security companies) are guilty of security theatre, where they talk the talk but don’t walk the walk. It gets even greasier with the discovery that some of the investors sold their shares days before the incident was officially announced; echoing the Equifax debacle where people went to jail for insider trading.

Now combine all of this with the sheer amount of high profile customers under SolarWind’s care, the speed and volume at which this breach continues to escalate, and how it has taken a few weeks for other parties such as CrowdStrike to be woven into this shitstorm blanket and one starts to get a sense of how this beanstalk can grow so high that Cyber Jack will never make it up to battle the Black Hat Giant. And if that’s not enough, if this is indeed a state-sponsored attack then the cost of trying to protect against it and future similar attacks is absurdly astronomical.

The Russians — Da or Nyet?

There is a lot of talk that this breach was done by the attention-loving gang of hackers known as APT29 (aka CozyBear), despite the lack of any solid concrete proof, other than attribution though coincidence; the TTPs matching those of previous Russian attacks. As of very recently, China name has been thrown into the hat as well. The fact is, while it’s easy (and convenient) to throw out these accusations, it’s almost impossible at this point to definitively pin responsibility to any nation state or threat actor, etc. We must keep an open mind to what really happened, even to the point where one asks if it was done on purpose to line investors’ pockets.

Who’s to blame?

It can be said with absolute certainty that this is a bigger f*cking mess than a baby’s bib after its first time eating a meal of creamed corn solo. Make no mistake, this is SolarWind’s fault. But they are not alone. It is highly unlikely that there is a single or group of people/vendors that can (or should) fully shoulder the blame.

Instead, this is a systemic failing at multiple levels due to not understanding the risks of technology; for not understanding the basic premises of how attackers can move laterally within systems and networks. For not having proper business continuity plans in place (think Google and Microsoft Azure). The list goes on, ad nauseum.

Next Steps

We as an industry really need to take a step back and ask ourselves, “What the hell are we doing?” All this money, all this talk, all this noise, all this so-called innovation about cyber security, and yet here we are, in 2020, seeing the same — if not worse — levels of breach that we saw in the movie Hackers, except that the bad actors have changed from dumpster-diving kids with terrible fashion sense to state threat actors. The word pathetic comes to mind here.

So when are we going to actually start looking at the fundamentals of how to fix this problem? How many more breaches have to happen before the world not only takes this seriously, but actually does something about it? Time to walk the walk and stop the bullshit talk, actions always speak louder than words.

These failings are not just within the organizations that have been attacked or their supply chains. This infestation and rot reaches right down to the roots and soaks into the soil: the basic personnel training tools, the culture being enforced on people within these environments, passwords that aren’t solarwinds123… human issues.

It’s only a matter of time before something truly catastrophic happens, where Joe and Jane Average are seriously damaged financially, emotionally, even physically. What happens when, say, a nuclear power or water treatment plant is popped?

As Shakespeare warned us a long time ago, something’s definitely rotten in Denmark. Evidently, we’ve learned so little since.

* * *