SolarWinds: An Unprecedented Cyber Attack

What is a supply-chain attack?

Rather than attack your systems directly, hackers exploit weak security at a partner or service provider to get access to your data. In other words, it’s the weakest link principle: your company’s data security is only as good as your service providers’ security.

 Who was affected by the SolarWinds attack?

When filing SEC documents related to the breach, SolarWinds estimated that “fewer than 18,000” of their 300,000 clients installed the affected updates.

However, multiple departments within the federal government—including State, Treasury, Commerce, Energy, and Homeland Security—had installed the affected update. The New York Times reported that hackers were able to access email within both the Treasury and Commerce Departments.

And the scope of the attack doesn’t end with the public sector. Among the private-sector clients affected were Intel, Nvidia, and Cisco.

 Who’s responsible for the attack?

The U.S. Cybersecurity and Infrastructure Security Agency has stated that the hackers were acting on behalf of a foreign government. The country responsible is widely believed to be Russia, following a National Security Agency warning earlier in December that Russian state-sponsored actors were also using security flaws in VMware® to access U.S. government resources.

 How could this have been prevented?

A former security adviser at SolarWinds has spoken up about how he told upper management in 2017 that the company needed to address security vulnerabilities, but the recommendations he made were not implemented.

When interviewed by Bloomberg, he said that “there was a lack of security at the technical product level, and there was minimal security leadership at the top.”

In the same article, another employee says that “SolarWinds appeared to prioritize the development of new software products over internal cybersecurity defenses.” Among the issues he mentioned were out-of-date browsers and operating systems.

Twitter users also reported that SolarWinds had recommended that purchasers disable antivirus software for products on the Orion platform in order for them to run correctly.

 What do I need to know to secure my data?

If there’s anything that we can learn from the SolarWinds attack, it’s that an impressive client list doesn’t mean that a company is following cybersecurity best practices.

Companies need to ensure that their entire supply chain—in other words, any partners or providers with access to their secure data—adheres to strict security practices. This could include service providers such as your law firm, your accountant, or your billing software provider.

When issuing a call for proposals or soliciting bids, ask detailed questions about information security. Depending on the vendors you’re working with and the data you handle, you may ask to perform a cybersecurity audit, require an agreement, or even perform penetration testing.

If you have questions about how to ensure that your partners are following best practices to avoid an incident like this, reach out to us to set up a call, and we can talk you through the risks—and the next steps to take.

For details about the specific versions and products affected, how to mitigate the problem, and additional information, visit the SolarWinds website.

Protect your business from cyber attacks