How could the SolarWinds cyberattack have come about?

On December 14, US-based software solutions firm SolarWinds said in a US Securities and Exchanges Commission filing that its customers, about 18,000 of them, who installed updates for its Orion product could be impacted due to a cyberattack on its network.

Orion offers products for managing and monitoring IT operations, security and network infrastructure. SolarWinds' clients include the US federal government agencies and Fortune500 companies.

“SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the reported attacks,” it said in the filing.

The company is conducting the investigation in partnership with tech major Microsoft. It is also investigating “whether any customer, personnel or other data was exfiltrated as a result of this compromise but has uncovered no evidence at this time of any such exfiltration,” SolarWinds further said in the SEC filing.

The company serves close to 300,000 customers and about 33,000 of were active maintenance customers during the period.

At this point it is not clear who exactly are the impacted Fortune500 customers and their third party vendors, which could include Indian IT services firms.

So far SolarWinds has found no evidence of its customer data being stolen. The investigation is still ongoing.

India Connect

Salil Parekh, CEO, Infosys, said during the recent Infosys Media Day event on December 15, “As you saw with that activity (SolarWinds compromise), this is something where a lot of discussion is going on. At this stage we are carefully evaluating it.”

Bengaluru-based tech major Wipro in a statement said, "Wipro does not use SolarWinds Orion product for its internal IT operations and there is no impact on the company. We continue to remain vigilant and are in touch with FireEye for additional information."

FireEye is a cybersecurity firm, which was subjected to a cyberattack recently. Similar to the SolarWinds attack, hackers were able to gain access to some of tools that FireEye uses to assess customers' security, the company in a blog dated December 8, 2020.

According to Peter Bendor-Samuel, CEO, Everest Group, it is unlikely that the IT firms would be blamed since the vulnerability was with the software platform. "I think this will work to the benefit of the services industry, showing once again that you can’t take care of these issues just with software and you must continue to invest," he added.

Indian IT services firms have been focusing in the area of cybersecurity, which is one of the fastest growing for the firms, especially on the back of COVID-19. According to a report in the Economic Times, Wipro expects $1 billion in revenue from cybersecurity. HCL Tech, Infosys and TCS, too, have a strong focus as companies invest in securing their network from possible attacks.

This incident, too, Bendor-Samuel pointed out, will underline the need for continued investment in the area and this will work for the services firms.
A look into the incident, which the experts have termed as one of the most dangerous in recent times.

"Insidious and dangerous"

According to Kumar Ritesh, CEO, Cyfirma, a cybersecurity intelligence platform, it was "one of the most insidious and dangerous hacks in recent times."

Dangerous, because the sole purpose is to gain information as opposed to ransomware attacks that we have seen recently done for monetary benefit. Insidious, because the attack was hard to detect by SolarWinds' internal security control.

The hackers were able to use legitimate credentials to inject the malicious code in the update server of Orion product between March and June 2020. So any company that updated its Orion product in the period would be infected with the malware, which gives hackers control over data.

This can only happen if the hackers had access to signed certificates of the concerned personnel, which is kept confidential and hence hard to obtain.
But was it really that hard? It might not be so, explained an information security professional.

Vulnerability could be traced back to 2018

Though the investigation in the case is currently unfolding and the scale of impact is not known yet, the starting point for attack could be traced as far as back to 2018.

Vinoth Kumar, a security specialist and part-time bug bounty hunter, has pointed out that though the attack is sophisticated, it might not be tough if the hackers had access to the password of SolarWinds network, which was available in the GitHub repository since June 2018. GitHub offers hosting services for software development.

Kumar stumbled upon it in 2019. Kumar, who has reported several vulnerabilities in platforms including Facebook and has won $22500 for the same, had reported a vulnerability in the SolarWinds systems on November 19, 2019.

A SolarWinds employee had mistakenly uploaded his credentials in GitHub, including username and password, which was as simple as "Solar123".

Through these credentials, Kumar was able to upload a document into SolarWinds network. In the email he had shared with SolarWinds, he had said, “Via this, any hacker would be able to upload malicious exe and update it with release of SolarWinds product.”

Though the company probably addressed this concern, the fact that the system was vulnerable for almost two years gives hackers enough time to enter the network and access private information, including signed certificates to carry out the attack, he added.

According to Ritesh, businesses and governments should invest in third-party risk monitoring and application verification tools that can act as additional controls.

In the end, what this points out is that despite all the investments into securing IT systems, cyberthreats continue to plague the landscape and much more needs to be done to make IT infrastructure more secure.