The impact of a sophisticated hack of the IT firm SolarWinds — which hit government agencies including the US Treasury and Commerce departments — is potentially enormous, cybersecurity experts warn.
Thousands of companies are potentially affected and securing their networks could be a long, ongoing process, they say, a task made even more difficult as the coronavirus pandemic continues to wreak havoc on the economy.
"The potential impact is gargantuan. We probably won't know for a couple of months," said Bryson Bort, CEO of the cybersecurity firm Scythe, and a strategic advisor to the US Cybersecurity and Infrastructure Security Agency (CISA). The main reason, he said, is the ripple effect of hacking an IT system connected to thousands of enterprises. This style of attack is known as a "supply chain hack," since it started with a vendor that spread it to its customers.
"This is a perfect example of supply chain vulnerability," Bort said. "Your vendor's risks are now your risks."
The attack apparently began when hackers broke into SolarWinds systems and planted malware in the company's IT management software, which it then unknowingly distributed to its clients through a series of software updates in March. The attack was not detected until this month, nine months later.
SolarWinds' CEO said in a statement Monday that the firm believes "that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation state." CEO Kevin Thompson did not name that nation-state, although many have speculated that it was Russia. SolarWinds said it is working with FireEye, a cybersecurity company that reported the hack in its systems last week, and the FBI to address the hack. It aso said it "currently believes" that fewer than 18,000 customers installed the software updates containing malicious code and that it did not know how many of those customers were targeted by hackers.
CISA issued emergency guidance telling all SolarWinds customers to uninstall the firm's software until an update, expected Tuesday, patches the vulnerabilities.
But addressing the attack will need to be done company-by-company.
"Supply chain attacks are one of the most devastating attacks that we see because these software development companies have direct access to thousands of customers," said David Kennedy, the CEO of the cybersecurity firm TrustedSec and a former analyst for the US National Security Agency.
The attack on SolarWinds was particularly difficult to discover because of sophisticated tactics that disguised the malware as a company's own computer code, FireEye said. That allowed the malware to quietly spread for months – and will make it difficult for each company to root out, experts say.
"This was an unparalleled attack on the US and its supply chain, unprecedented in how stealthy its intrusions were. This was an A++, truly unprecedented attack," said Kim Peretti, a former Department of Justice senior litigator who prosecuted hackers and now leads cybersecurity cases for the NYC law firm Alston & Bird. "We may not know its true impact for months, or even ever."
"Zero trust" and "assume breach" cybersecurity tools, which restrict access to a company's systems to users that are continually authenticated and that search through networks looking for intrusions in every possible area, may be necessary to combat the attack. But those tools can be expensive, at a time when many enterprises are still reeling from economic effects of the on-going COVID-19 pandemic.
"Every organization is reaching out to suppliers, vendors, partners" to alert them to the breach, said Ben Johnson, a former NSA analyst and CTO of the SaaS security firm Obsidian. "But finding all the impacts may be harder. Zero Trust is quite difficult to get working, because productivity is king. Organizations may think they can't afford to slow down right now and implement new security systems."
But organizations can't afford to stick with their old tools with the potential of nation-state hackers in their networks, said Theresa Payton, former White House chief information officer during the Bush administration and CEO of the cybersecurity consultancy Fortalice Solutions.
"This needs to be a wakeup call. Everyone should be completing a threat hunt immediately," she said. "If the best and the brightest can be compromised, so can you."
Payton said if companies don't expand their zero trust tools and actively look for intrusions, they could pay dearly as further impacts of the hack come to light.
"I'm at a nine out of 10 in increments of worry," she said. "I'm afraid the other shoe is going to drop, and it turns out we have a centipede on our hands."