Why security experts were blindsided by the SolarWinds attack
The SolarWinds cyberattack on U.S. government agencies and private organizations was and is frightening in its scale and success. It proved no match for the government agencies charged with defending against such things, and brought into sharp focus the fact that the government’s current model for responding to cyberthreats is lacking. The Senate Intelligence Committee hosted some of the main players in the SolarWinds saga Tuesday for some soul-searching on how the government and private tech companies should work together to stop future attacks. Some of the main themes discussed in the hearing are likely to end up in new cybersecurity legislation this year, a Congressional source told me. SolarWinds is the name of the Texas-based company whose IT management software is used by many government agencies and large corporations. Back in March 2020, the attackers—widely thought to be employed by Russia’s Foreign Intelligence Service—first planted malware in the SolarWinds system that sends updates to all its clients. When government agencies installed the update, they installed the malware, too. The attack was finally reported in December 2020 by the private security firm FireEye, and then only because the firm discovered its own systems had been infected. The SolarWinds attack was novel, in that it targeted both government and private-sector entities, and for its use of a government supplier (SolarWinds) as a Trojan horse to gain access to government agency systems. The white hats (security good guys) were not ready for this roundabout way of attacking. During the hearing, SolarWinds CEO Sudhakar Ramakrishna said the security community knows how to defend against direct attacks on networks and spear-phishing attacks in which hackers pose as a trusted party and try to trick employees of the target company into giving up their network credentials. Security experts have less experience with attacks that exploit a private-sector supplier of software to the government to gain entry. It’s hard for the eventual target organization—in this case government agencies and corporations—to see that kind of attack coming. The attackers attached malware to an update to SolarWinds’ Orion software. When the company’s clients—18,000 of them—installed the update, they also installed the malware. The attackers are thought to have penetrated the systems of 100 private companies and 11 government agencies, including the Departments of State, Energy, Homeland Security, and Treasury, and the National Nuclear Security Administration Read More …