In December 2020, it was discovered that national IT software and infrastructure company SolarWinds suffered an unprecedented data breach. Utilizing a Trojan Horse system, hackers were able to breach more than 18,000 companies and government agencies including the Departments of State, Homeland Security, Energy, Treasury, Commerce, the Pentagon and the National Institutes of Health. And while the breach was discovered in December, the hack actually had begun in March, silently stealing invaluable data for those who were breached. So how exactly did this happen, and how should you go about protecting your business?
Who Is SolarWinds?
SolarWinds is an IT management software and remote monitoring platform used by IT departments and Managed IT Service Providers. According to SolarWinds, they have more than 300,000 customers including the United States Government and the vast majority of Fortune 500 companies. To date, more than 18,000 SolarWinds' clients have fallen victim in this massive breach. It is important to note that Fraser Advanced Information Systems does not use any of the SolarWinds products or services.
How did this attack happen?
In the Spring of 2020, SolarWinds' enterprise platform, Orion, was compromised by cybercriminals. Orion is a infrastructure monitoring and management solution that, per SolarWinds, is "designed to simplify IT administration for on-premises, hybrid and software as a service (SaaS) environments in one view. Orion is used to monitor the health and performance of a company's network through data collection and examination.
Hackers accessed Orion through a device that was using a default password on SolarWinds' servers. Once in Orion, hackers released one line of malicious code in a Spring 2020 Orion update and opened the door to access the SolarWinds system. From there, the attackers could essentially roam the platform undetected, and gained more and more access to vulnerable data. Once identified in December 2020, investigators and the U.S. government have stated that they believe that bad actors with the Russian government were the culprits behind what the Senate Intelligence Committee called "the gravest cyberintrusion in our history".
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued alerts in mid-December ordering federal civilian executive branch departments and agencies to disconnect devices affected by the breach. CISA determined that the threat by this breach poses a "grave risk to the Federal Government and state, local, tribal and territorial governments as well as critical infrastructure entities and other private sector organizations." Mitigation instructions were provided by CISA for affected businesses and government agencies, but new victims are still being identified and changes to these directives will continue as more is learned.
How can your business protect itself from these types of breaches?
Because of the ever-changing landscape of cybersecurity, a business can never fully guarantee that a breach will not occur. It is imperative that companies understand that they should implement processes to prevent an attack and also have a strong policy implemented as to how to contain the damage of such a breach. To reduce your risk of being a victim to a cyberattack, we recommend the following best practices:
- Make sure you are not using default passwords on any devices on your network
- Update your devices and software to avoid any missing security patches or bug fixes
- Keep anti-malware and antivirus software updated at all times
- Implement a strong employee password policy and mandate staff follows it
- Ensure your internet connection is secure
- Implement an end-user security training for all employees to teach about best practices regarding email and email attachments
- Invest in a reputable Managed IT Services Provider
Fraser would like to reiterate that we do not use any SolarWinds products, so our Managed IT clients are not affected by this breach. At Fraser, we believe that a layered approach to security is key. This ensures that all of your security "eggs" aren't in one basket. Fraser is also actively using threat detection software to search for threats on our own networks as well as those of our IT clients. Fraser also has vendor independent processes for verifying security of devices as well as a robust device hardening program that is implemented for all of our customers. If you believe your business has been a victim or your IT provider has been compromised, please feel free to email us or simply click the orange below to get assistance.