SolarWinds Orion: what the most serious cyber attack of 2020 can teach us

In addition to the Coronavirus spread everyone, sadly, knows pretty well, at the end of 2020 the world had to face another kind of pandemic: the attack against the SolarWinds Orion platform. For companies and the Public Administration, this event showed the importance of keeping IT Monitoring systems up to the risks that may result from a lack of necessary monitoring, control and remediation measures.

The SolarWinds Orion affair has highlighted such past naivete which is hard to believe. Sources say, in 2019 the updates server password of the Texan company was “solarwinds123”. Beyond the truth of this information, it was the updates themselves that acted as a Trojan horse for the malicious campaign supposedly launched by the Russian hacker group APT29 and nicknamed “Cozy Bear”.

 

SolarWinds Orion, how the worst cyberattack of 2020 happened

The identity of the hackers is not known. However, information on the dynamics of the attack is certain. It took place using a so-called backdoor, named "Sunburst" or "Solorigate".

The vulnerability CVE-2020-10148 was identified in the SolarWinds Orion platform. This transformed the periodic update into a vector. This then infected a large audience among the more than 300,000 customers who use the products of the US software company. Orion is precisely the flagship suite of the company and includes prominent names on the international scene, such as Microsoft and NASA to name two, among its users.

In Italy, one of the companies involved in it - and not the only one - is Telecom Italia. Here is why, as happened overseas, where the CISA (Cybersecurity & Infrastructure Security Agency) issued an emergency directive to mitigate the effects of malicious code on networks and infrastructures, our Cyber ​​Security Nucleus (NSC) met, for the same purpose.

 

The characteristics of the attack on the SolarWinds Orion platform

The cyberattack on the SolarWinds Orion platform is peculiar because it's known for a fact that it's been was a supply chain attack. Several types of attacks are included within this definition, attacks leveraging the weakness of one component of the value chain.

It is a sign of these present times, as today there is no IT solution where integrations between different vendors are not foreseen.

The second feature makes the SolarWinds Orion case a textbook case. Because what has been violated, in this case, is an IT Monitoring and network management tool, a very tool due to helping raise the security profiles of companies.

Finally, we should pay attention to a third element. The penetration strategy has exploited what all organizations usually do to keep their guard level high, which is the normal update cycle. And they downloaded it right from the SolarWinds official domain.

 

The precautions companies should implement

Given the above, some precautions emerge that it is good to put in place to avoid - or at least minimize - the risks due to cyberattacks similar to those that have put SolarWinds Orion in check.

First, companies need to identify partners with expertise and experience in the most reliable IT Monitoring solutions. They are usually system integrators with proven skills in this area. With them, it's good practice to identify those monitoring systems and platforms offering greater resilience.

However, this aspect alone is not enough, as the story of SolarWinds Orion demonstrates. Companies should also evaluate the methodology implemented by these partners in managing patching processes and dealing with the heterogeneity of end of support and obsolescence of all components present within the company itself.

In fact, we must not forget the fuse that triggered the fire of SolarWinds Orion came from a basic and normal update.