In January, we covered a massive supply-chain data breach known as the SolarWinds attack. To get a broad overview of the incident, how the malicious agents carried out the hack, and the known victims, please read our coverage. Over the past four months, there have been new developments in the story that warrant a follow-up. Here, we go over these updates and discuss the potential for lasting fallout.

A brief synopsis

In December 2020, cybersecurity firm FireEye reported a significant flaw in the SolarWinds Orion database management software suite. When the dust settled, experts found that over 18,000 organizations had inadvertently installed a backdoor for an Advanced Persistent Threat (APT) group, likely Russian in origin. These state-sponsored actors infiltrated major corporations and high-level United States governmental agencies alike. Officials believe it to be the most widespread digital espionage campaign ever carried out against the United States. So, what have we found out since then?

More sophisticated than initially thought

From the very beginning, cybersec professionals knew the culprits were sophisticated and that the program’s scope was enormous. As it turns out, however, initial estimates seemed to have underestimated it. According to a recent analysis by RiskIQ, the infrastructure used by the threat actors was at least 56% larger than originally thought[1].

This implies the state hackers had access to significantly more computing power and probably targeted even more organizations than the known 18,000 victims. The same report also concluded that the use of United States-based infrastructure during the initial attack stage prevented the National Security Agency (NSA) from noticing the situation due to stricter laws against domestic surveillance.

Russians officially blamed

United States intelligence agencies have always blamed Russia for the attack, but it turned into more than an accusation when President Joe Biden and the United States formally sanctioned the adversarial country on March 15[2]. Provisions of the sanctions include:

  • Forbidding U.S. banks from buying bonds from or lending money to Russia’s national financial institutions after June 14.
  • Expelling 10 Russian diplomats accused of being intelligence agents from the United States.
  • Sanctioning six technology companies in Russia accused of supporting intelligence agencies.

The sanctions significantly ratchet up tensions between the two nations and mark a major departure from standard espionage protocol. Previously, the United States and other countries assumed cyber espionage campaigns were always underway from their enemies, and their enemies were under similar assumptions. This meant that there was an implicit understanding that everyone is spying on everyone else, and nobody felt real consequences for it. The sanctions set a new precedent that could result in escalation rather than diplomacy. Although, Russia pulled back troops from the Ukrainian border after the sanctions[3], so perhaps the message landed as intended. Only time will tell what ramifications this act has, but hopefully, it doesn’t increase the divide between the two largest nuclear powers.

Concurrent Chinese involvement

Although analysts blame Russia for the initial breach, it appears like Chinese state hackers also took advantage of the situation[4]. According to a report by Secureworks, some malicious agents used tactics similar to those employed by the Chinese APT, SPIRAL[5]. Furthermore, during the intrusion, the group accidentally revealed its IP, which originated from China. So, while sanctions only targeted Russia, there is evidence that China played a role too.

Of course, as we talked about in the original SolarWinds blog, it’s exceedingly difficult to analyze blame with a hundred percent certainty. State-sponsored digital espionage groups are adept at covering their tracks and obfuscating origins. And, while the United States government seems positive the Russians were the main culprits, hard evidence of this assertion hasn’t been made public. Not to mention the United States government has been wrong about some pretty bold claims before. We may never know the full truth.

Congress grills Microsoft

Interestingly, the company in the hottest water over the whole snafu isn’t SolarWinds; it’s Microsoft. Probably due to its high-profile nature, the U.S. Congress set its sights on the tech behemoth[6]. This is because, after the breach’s first stage, the hackers exploited Microsoft products and stole sensitive emails and other data from thousands of organizations.

Microsoft itself had its source code exposed to the hackers. Since source code is the lifeblood of a tech company, it shows exactly how all-encompassing the breach was. It also proves a crucial point; no matter how secure a system is, nothing can be completely safe from ill-intentioned cyberspies with the backing of an entire country’s resources. So, although House members assuredly loved grandstanding about the holes in Microsoft’s security, the truth is more complex and nuanced.

White House ramps down recovery efforts

This brings us to the conclusion of the saga. On April 19, the White House announced that several national agencies such as the FBI, CISA, and NSA would soon begin ramping down their efforts regarding SolarWinds. Combined with the Russian sanctions, it signals that the U.S. Government considers the incident largely settled. China appears unlikely to receive any formal retaliation. Hopefully, the most significant data breach of our times serves as a lesson for the future of cybersecurity. Undoubtedly similar incidents will occur in the future, but perhaps mitigation policies will improve, and potential damages will be reduced.

Security is a personal responsibility

If there’s one takeaway everyone should have about SolarWinds, it’s that relying on Big Tech’s security policies is a mistake. People should do a bit of research to find redundant cybersecurity methods for their sensitive data.

You can protect your confidential files by ditching cloud drives like Dropbox, OneDrive, and Google Drive and switch to AXEL Go. AXEL Go utilizes our decentralized, distributed files sharing network backed by blockchain and the InterPlanetary File System. This ensures your documents aren’t stored in one place with a single point of failure.

Additionally, every file you transfer via the AXEL Network gets “digitally shredded” and distributed to scattered server nodes. This means even if a malicious agent compromised a server, they wouldn’t have access to the complete file. Documents are only reconfigured for the initial user and any recipients. This system, combined with military-grade encryption, provides multiple layers of security for AXEL Go users.

You can try AXEL Go Premium with all features unlocked free for 14-days. Sign up today and see how AXEL can improve your workflow and harden your organization’s cybersecurity.

 

 

[1] “SolarWinds: Advancing the Story”, RiskIq.com, April 22, 2021, https://community.riskiq.com/article/9a515637

[2] Morgan Chalfant, Maggie Miller, “Biden administration sanctions Russia for SolarWinds hack, election interference”, April 15, 2021, https://thehill.com/homenews/administration/548367-biden-administration-unveils-sweeping-sanctions-on-russia?rl=1

[3] “Russia to pull troops back from near Ukraine”, BBC, April 22, 2021, https://www.bbc.com/news/world-europe-56842763

[4] Dan Goodin, “Chinese hackers targeted SolarWinds customers in parallel with Russian op”, Ars Technica, March 8, 2021, https://arstechnica.com/gadgets/2021/03/chinese-hackers-targeted-solarwinds-customers-in-parallel-with-russian-op/

[5] Counter Threat Unit Research Team, “SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group”, Secureworks.com, March 8, 2021, https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group

[6] Frank Bajak, “SolarWinds hacking campaign puts Microsoft in the hot seat”, The Associated Press, April 17, 2021, https://apnews.com/article/business-technology-government-and-politics-f51e53523312b87121146de8fd7c0020