We were on the home stretch. Just a few weeks left before we could put this garbage fire of a year behind us. It figures that we couldn’t make it to the end with at least one more catastrophe striking us in the face.
IT management firm SolarWinds provides network monitoring services to hundreds of thousands of customers around the world. In late December, it was also the target of one of the largest cyberattacks of the year, perhaps even the decade. The culprit, reports tech publication ZDNet, is a Russian intelligence agency.
According to security firm FireEye, the culprits in Spring 2020 executed an incredibly sophisticated supply-chain malware campaign, which utilized the following tactics:
- Poisoning software updates for Solarwinds’ Orion software platform, granting remote access into each victim’s operating environment through the Sunburst backdoor.
- Making significant efforts to blend into routine network activity, and using light malware to help avoid detection.
- Extensive reconnaissance.
All told, approximately 18,000 customers were impacted by the attack. Per The Verge, several leading private sector organizations are among the victims, including Microsoft, Cisco, Belkin, VMware, Nvidia, and Intel. Worse still, according to The Guardian, the attack has even managed to compromise several arms of the United States government, including the Treasury Department and the Commerce Department. On the surface, it seems like this attack was, to some extent, unavoidable.
After all, the level of sophistication here speaks for itself, right?
Not exactly. You’d expect a firm that provides IT management services to some of the highest-security agencies and most prominent private-sector organizations in the world to have peerless internal practices, right? Unfortunately, the reality is honestly baffling.
According to Business Insider, in spite of the level of sophistication displayed by the Sunburst attack, the Orion update server could have been compromised by anyone. Speaking to Reuters, security researcher Vinoth Kumar said that in 2019, the password for the firm’s update server was solarwinds123. Yes, you read that right.
An update server with the potential to provide extensive access to some of the most powerful businesses and government agencies in the world was protected by a password that could have been guessed by a toddler.
To be frank, it’s baffling that Solarwinds had such a lax approach to cybersecurity. We cannot help but wonder if, even though they were reportedly targeted by state-sponsored black hats, their lax practices played at least some role in allowing this to happen. And that, if nothing else, is the most important lesson of this whole mess.
You cannot assume that a vendor can be trusted simply because it has a large client base. You cannot assume a vendor is secure simply because it works with high-security businesses. And you cannot take for granted that a vendor will treat your data with the same care that you do.
We have little doubt that we’ve not heard the last of the bad news from the Solarwinds hack. Its sheer scope and complexity more or less ensure as much. There is very likely more bad news to come.
And at this point, all we can do is hope that we’re able to learn something from it.