The worst could be yet to come.
As the events unfold, the full impact of the layered cyberattack on the Austin-based IT management software firm’s customers will be felt well into the next five years or beyond. Here is what we know so far:
- It is clearly among the biggest ever cyberattacks on the US government
- According to reports, over 400 of the Fortune 500 companies in the US and top 10 telcos have all been impacted
- A ‘trojanized’ software update was used to install the sunburst malware into a commonly used IT management and monitoring software
- The update was installed by as many as 18,000 customers using the software
- Parts of US Treasury, Department of Commerce, Department of Homeland Security, and the Pentagon have all been targeted and have borne the brunt of the attack
- This is an example of a ‘supply-chain’ attack wherein the intended target is attacked through vendors or third-parties who have some connection with the core networks and IT infrastructure of the intended victim
- A different threat actor was found to have deployed another malware during the same episode
- Discussions on the litigation fallout have begun and are moving in the direction of a Class action suit
Companies across the US are on a state of high alert. The ones affected by this cyber attack will have to spend time, effort and money in cleaning up as also in shoring up their defenses to avoid any secondary attacks or release of data. These attacks have brought cybersecurity to the forefront of strategic attention from businesses everywhere.
In a tough year, where multiple vendors including Subex had issued a range of cyber attack advisories from as early as March, this was not an unanticipated attack but what is shocking is the scale and the modus operandi used by the alleged state-backed hackers who are supposed to be behind the episode. While cybersecurity governance questions are being asked, one thing is clear, there is a lot more that needs to be done to prevent and deter such attacks in the future:
- The threat actor involved in SolarWinds attack demonstrated patience, sophistication, and tactics so removing them from the compromised environments will be a tough task. If such efforts (that are now needed in the cleanup effort) were put in securing enterprises with diligence, then post-facto efforts won’t be needed.
- Securing your organizational assets cannot be considered a one-horse race. Instead, the challenge has to be addressed at multiple levels. Vectors of vulnerabilities known and unknown are everywhere and they need to be addressed at the government, institutional and employee levels. Within organizations, multiple strategies and tactics need to be adopted
- A two-way authentication will go a long way in securing assets and blocking malicious users
- Implement a Zero trust-based approach especially for those services that reside on/are accessed from the cloud or those where the updates are forced across a multitude of devices without human intervention
- Code-Orange should be the normal threat perception level. With the prevalence of threat actors, state-backed APT groups, independent actors, and disgruntled stakeholders, it is always important to be at the highest level of alert.
The SolarWinds attack has set the agenda for 2021. While nations and businesses start transitioning out of the Covid-19 induced economic and business slowdown, inadequate attention to cybersecurity could not just slow down these recovery efforts but could also harm reputations beyond repair prolonging the impact.
Nat will be glad to help in case you wish to learn more. You can drop her a line: natalie.smith@subex.com.