In response to why he robbed banks, the bank robber Willie Sutton said, "Because that is where the money is located." Today's criminals choose to sit behind computers located in other countries and quietly steal the inherent intellectual property of the world's largest companies or national intelligence agencies.
Other criminals choose to steal the data for a quick ransom payout. Of course, trying to penetrate the cybersecurity defenses of the world's largest companies takes a lot of time, so criminals have resorted to attacking the tools IT departments use to manage their infrastructure.
The only cost-effective way to manage a large number of computer systems is to use a remote monitoring and management (RMM) tool. RMM tools allow IT administrators to monitor systems, but these tools also allow them to remotely deploy software to computers anywhere in the world, as long as they can communicate with the central management system via the internet or virtual private network.
Consequently, cybercriminals have correctly reasoned that if they could inject malware into the code of an RMM platform, they would then have privileged access to any system and company where the RMM tool is used. SolarWinds has an RMM tool called Orion, used to manage large enterprises and government networks, that was hacked by Russian attackers in December 2020.
However, new information has revealed the details of the hack, which makes the breach all the more terrifying. First of all, the breach of the SolarWinds environment used by the Orion software development team occurred sometime in spring 2019. The attackers cleverly wrote code that injected malware directly into the Orion software without being detected. While this attack seems like it should have easily been discovered, it's important to realize mature software programs like Orion have upward of 100 million lines of code across the main executable file, database and supporting libraries.
By inserting malware into Orion, the state-sponsored attackers were able to breach approximately 18,000 of the world's largest companies, including Microsoft and U.S. federal agencies such as the Department of Homeland Security, Department of Agriculture and Department of Commerce. Once inside the networks, the attackers were able to look at an incalculable amount of data without being detected for over a year.
Security tools like FireEye, whose networks were also included in the attack, were not alerted, because Orion uses privilege access to deliver the payload to millions of computers. Major companies and government agencies went about their daily work for months without knowing their data was being stolen.
This type of attack confirms what we already know: Security is an illusion. Everyone believes their data and networks are safe right up until a breach is discovered. The reality is that no network, computer or amount of money can thwart the attack of a well-funded cybercriminal. After the attack was discovered, a Microsoft spokesperson confirmed the company used the Orion software for its internal systems, and that one of Microsoft's software development teams' networks was breached.
Microsoft's investigation revealed that the attackers were not able to inject their dangerous payload into its software, but the attackers were able to view the source code. Microsoft stated it would take an "assumed breach" policy with all its network designs. This means Microsoft assumes all of its networks have already been breached, so the company layers additional security within the networks to secure data. Of course, had the attackers been able to steal the credentials of a Microsoft administrator within a team, they could've gotten access to the source code. If the world's most successful companies and the most powerful government agencies can't secure their data, then we must conclude that no data is safe.
Every organization's management and IT teams should get together and adopt the assumed breach policy. They should then ask themselves how they can provide additional security internally to protect their intellectual property and reputations.
For more information, visit www.omnipotech.com or call (281) 768-4308.
