Slate | To understand the difference between the SolarWinds compromise and the other high-profile cybersecurity incidents you’ve read about in recent years—Equifax or Sony Pictures or Office of Personnel Management, for instance—it’s important to understand both how the SolarWinds malware was delivered and also how it was then used as a platform for other attacks. Equifax, Sony Pictures, and OPM are all examples of computer systems that were specifically targeted by intruders, even though they used some generic, more widely used pieces of malware. For instance, to breach OPM, the intruders stole contractor credentials and registered the domain opmsecurity.org so that their connections to OPM servers would look less suspicious coming from that address.
This meant that there were some very clear sources that could be used to trace the scope of the incident after the fact—what had the person using those particular stolen credentials installed or looked at? What data had been accessed via the fraudulent domains? It also meant that the investigators could be relatively confident the incident was confined to a particular department or target system and that wiping and restoring those systems would be sufficient to remove the intruders’ presence. That’s not to say that cleaning up the OPM breach—or Sony Pictures or Equifax, for that matter—was easy or straightforward, just that it was a fairly well-bounded problem by comparison to what we’re facing with SolarWinds.
The compromised SolarWinds update that delivered the malware was distributed to as many as 18,000 customers. The SolarWinds Orion products are specifically designed to monitor the networks of systems and report on any security problems, so they have to have access to everything, which is what made them such a perfect conduit for this compromise. So there are no comparable limiting boundaries on its scope or impacts, as has been made clear by the gradual revelation of more and more high-value targets. Even more worrisome is the fact that the attackers apparently made use of their initial access to targeted organizations, such as FireEye and Microsoft, to steal tools and code that would then enable them to compromise even more targets. After Microsoft realized it was breached via the SolarWinds compromise, it then discovered its own products were then used “to further the attacks on others,” according to Reuters.
This means that the set of potential victims is not just (just!) the 18,000 SolarWinds customers who may have downloaded the compromised updates, but also all of those 18,000 organizations’ customers, and potentially the clients of those second-order organizations as well—and so on. So when I say the SolarWinds cyberespionage campaign will last years, I don’t just mean, as I usually do, that figuring out liability and settling costs and carrying out investigations will take years (though that is certainly true here). The actual, active theft of information from protected networks due to this breach will last years.
0 comments:
Post a Comment