Potential Implications for US National Security

THE SOLARWINDS HACK: SECURING THE FUTURE

Name______________________

Topic: SolarWinds Hack

Issue: Zero-Day Security and Potential Implications for US National Security

Paper Title: The SolarWinds Hack: Securing the Future

The implication for US National Security includes foreign actors’ ability to disrupt essential infrastructure assets within the United States. These assets include oil and gas pipelines, electrical grids, and the defense sector. Foreign actors can misuse personal data through malware, spyware, and other advances, resulting in extortion and ransomware. These implications are both tangible and intangible. Tangible elements include interruptions of infrastructure (e.g., communication, food distribution, power grids, and transportation), industry (e.g., aerospace, bio-medical, healthcare, and waste management), and utilities (e.g., gas, electric, sewage, and water) within the nation. Intangible implications include the erosion of consumer confidence in everything from online retail to election integrity.

Background

The SolarWinds hack was major because it affected thousands of organizations, including the United States government[footnoteRef:1]. SolarWinds is a software company based in Tulsa, Oklahoma, that offers system management tools for infrastructure and network monitoring. One of the company’s performance monitoring systems is called Orion. Orion had privileged access to IT systems obtaining their system logs and performance data. The privileged position held by Orion and its deployment across the network made it an attractive target for hackers[footnoteRef:2]. Using the Orion system, hackers managed to gain access to thousands of SolarWinds customers’ systems, networks, and data. The attack is one of the largest of its kind ever recorded. Over 30,000 private and public organizations use the Orion network management system to manage their IT resources. The public organizations include local, state, and federal agencies. [1: Datta, P. (2021). Hannibal at the gates: Cyberwarfare & the Solarwinds sunburst hack. Journal of Information Technology Teaching Cases, 2043886921993126. ] [2: FireEye. (2020). Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. ]

How the Attack Took Place

The attack took place at the beginning of 2020, but it was not discovered till almost the end of 2020[footnoteRef:3]. The attackers were patient, and they seemed to target multiple entities by the nature of the attack they launched. SolarWinds Orion had advised its customers to exclude the software from anti-virus and End-Point Detection and Response monitoring. Due to the exclusion, the attackers managed to access the network and data of its victims without detection since their attack relied upon and behaved like an Orion system. There were multiple lines of access, control, and communication launched by the attackers from the Orion monitoring system. [3: Datta, P. (2021). Hannibal at the gates: Cyberwarfare & the Solarwinds sunburst hack. Journal of Information Technology Teaching Cases, 2043886921993126. ]

The hack might have been originated from a GitHub misconfiguration error[footnoteRef:4]. Server credentials were released in a public repository, which set the stage for the attack. Once the hackers had the credentials, they managed to add their malicious code to the Orion software code and waited for SolarWinds to push the update to its customers. The attackers created a digital signature and certification similar to the one used by Orion to mask their Trojan malware. The hackers relied on waiting before initiating the attack. After the code was installed on the victim’s computer, it stayed dormant for two weeks before it began scanning the environment to establish there were no monitoring systems for malware[footnoteRef:5]. Once it is established the coast is clear, the malware makes the initial connection to the remote server masking itself as genuine network traffic. The malware was hiding in plain sight, and no one recognized or flagged the traffic originating from the malware. The code allowed the hackers to open more backdoors and gain access to companies and organizations[footnoteRef:6]. [4: FireEye. (2020). Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. ] [5: Shlapentokh-Rothman, M., Kelly, J., Baral, A., Hemberg, E., & O'Reilly, U.-M. (2021). Coevolutionary modeling of cyber attack patterns and mitigations using public datasets. Proceedings of the Genetic and Evolutionary Computation Conference, ] [6: FireEye. (2020). Highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. ]

Remote access was possible and allowed the hackers to copy data, emails, and other network traffic.

The Victims of the Attack

According to SolarWinds, there were over 18,0000 customers who had installed the updates containing the malicious code, which left them vulnerable to hackers. Among the victims were several US government agencies. The Pentagon, the Department of Homeland Security, the Department of Energy, the Treasury, the State Department, and the National Nuclear Security Administration were attacked. Due to the nature of the attack, some victims might not be aware they were hacked. The attackers relied on stealth and going undetected. Therefore, the victims were unaware of the attack taking place. The information accessed or downloaded is unknown because of the nature of the attack. At the Treasury Department, the hackers managed to break into email accounts and networks in the Department’s Offices[footnoteRef:7]. [7: Massacci, F., Jaeger, T., & Peisert, S. (2021). SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? IEEE Security & Privacy, 19(02), 14-19. ]

The amount of data stolen and networks compromised is still unknown. The dwell time for the attack was longer than the average reported by security firm CrowdStrike. According to CrowdStrike, the average dwell time in 2019 was 95 days[footnoteRef:8]. However, the dwell time for the SolarWinds hack was almost one year. Therefore, the attackers had adequate time to access data and download the data they needed. The breach took long to be discovered due to the sophistication of the code the hackers used. [8: Mar, S. (2021). THE AFTERMATH OF SOLARWINDS. The Internal Auditor, 18-18. ]

Purpose of the Hack

No one knows for sure the purpose of the hack[footnoteRef:9]. However, based on previous reasons for hacking, we can state the hackers desired to gain private information, access to future product plans, employee information, and state secrets. The hackers could have used the code to launch ransomware attacks where they blocked access to organization computers till they were paid. The attack did not reach this level. Government agencies are the major target for such an attack since numerous secrets would be helpful to hackers. For this attack, the private companies were collateral damage. Considering the Orion network and infrastructure monitoring system is used by numerous government agencies, the target for the attackers was to gain government secrets. [9: Datta, P. (2021). Hannibal at the gates: Cyberwarfare & the Solarwinds sunburst hack. Journal of Information Technology Teaching Cases, 2043886921993126.]

The amount of data held by government agencies would be prime for hackers suspected to come from foreign countries like Russia and China. Therefore, the purpose of the attack was to access confidential government data and use the attack to open up other backdoors. Had it not been discovered, the hack could have compromised sensitive data and might have been used against the United States.

Zero-Day Security

Zero-day vulnerabilities are flaws that no one knows about. Zero-day security protects against these vulnerabilities by offering protection through close monitoring of software or new patches to check for any vulnerabilities[footnoteRef:10]. However, the Sunburst code used by the SolarWinds hackers remained dormant for two weeks. Many Zero-day security checks are active after the launch of software and software patches, and with time the close monitoring of the system fades. Now that is when the Sunburst code comes alive. Capitalizing on time and complacency allowed the hackers to spoof the authentication infrastructure without raising suspicions. [10: Mar, S. (2021). THE AFTERMATH OF SOLARWINDS. The Internal Auditor, 18-18. ]

Potential Implications for US National Security

Classified information could be leaked, which would demonstrate to others how they can attack the US. The stealthy nature of the attack ensured it spread without being detected, which compromises the initial computer and other computers on the network. The hack reached some of the Pentagon systems, where sensitive information regarding the country’s security is stored[footnoteRef:11]. While no classified information is suspected of being stolen, the hack demonstrates the potential implication of stolen classified information and how the country’s defenses could be compromised. Russia is the major suspect to have initiated the attack. Considering the current US and Russia relations, one can see how disastrous it would be if they managed to gain access to sensitive information regarding the security of the US. Key installations in the country like nuclear weapons and defense systems could be at risk[footnoteRef:12]. If the attackers managed to gain access to nuclear codes, they could launch them targeting the country or other countries, which would lead to a third world war. If the attack comes from the US, all other countries would assume the US initiated the attack, and they would counter-attack the US leading to loss of life since the country will not have access to its defense and attack systems. [11: Massacci, F., Jaeger, T., & Peisert, S. (2021). SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? IEEE Security & Privacy, 19(02), 14-19. ] [12: Wolff, E. D., GroWlEy, K. M., & GruDEn, M. G. (2021). Navigating the SolarWinds Supply Chain Attack. ]

Another potential implication would be access to sensitive information like the security details of the president. Therefore, the operations of the president could be at risk, and an attack would be imminent. The attackers use stealth, and they could use the same strategy to infiltrate the inner circle defense by posting their soldiers using fake IDs. These soldiers would be tasked with infiltrating the president’s security and ensuring they charge his security. Once the presidential security is compromised, it would be easy to take him out. Incapacitating the president would leave America vulnerable to foreign attacks, diminishing its superpower status to the global community.

The Department of Homeland Security (DHS) is responsible for public security. An attack on its systems would compromise public security[footnoteRef:13]. The major role played by the DHS is disaster prevention and management. There are sensitive documents held by the DHS regarding the measures to prevent and manage a disaster of any magnitude[footnoteRef:14]. Therefore, if this information is leaked or accessed by the attackers, it can compromise the security of American citizens. There are natural and artificial disasters that can occur in the country. While the attackers cannot initiate natural disasters, they can initiate unnatural disasters like bombing a building, attacking citizens during public ceremonies, or even launching an attack on the nation’s infrastructure. When a foreign country’s enemy knows the measures put in place to secure a location and strategies used to reduce casualties, they can use the information to launch multiple attacks compromising the security of the public. Even with the best-laid plans, if the enemy knows the mitigation and prevention measures, they will use them to inflict maximum damage. [13: Shlapentokh-Rothman, M., Kelly, J., Baral, A., Hemberg, E., & O'Reilly, U.-M. (2021). Coevolutionary modeling of cyber attack patterns and mitigations using public datasets. Proceedings of the Genetic and Evolutionary Computation Conference, ] [14: Massacci, F., Jaeger, T., & Peisert, S. (2021). SolarWinds and the Challenges of Patching: Can We Ever Stop Dancing With the Devil? IEEE Security & Privacy, 19(02), 14-19. ]