The SolarWinds case, let's take stock

(To Alessandro Rugolo)
08/03/21

In a article of 14 December 2020 we talked about FireEye and how it was hacked. It was the same company, on 8 December last, to inform the public of what happened.

We then picked up the news a week later with the article by Ciro Metaggiata

We then tried to ask ourselves some questions on the basis of what was known and to sketch out some answers.

Today, almost three months after the incident, we can try to take a few steps forward certain that the attack, now known as Solorigate, we will continue to talk for a long time.

Meanwhile, it has been clarified that the attack took place through a software company for FireEye (and not only!), the company is called Solarwinds and is based in Texas.

One thing we can see immediately is the effect of the attack on the two companies: the FireEye has maintained the value of its shares, which indeed has grown while the Solarwinds lost!

This is just to say what kind of "effects" a cyberattack can have, from an economic point of view to be clear, if someone still has doubts about the effects in the real world. In this case the effects I have shown are only those on the software manufacturer, but if we were to estimate the economic losses due to this attack it would have to include the analysis of about 18.000 state and non-state organizations, and the figure that would come out could be frighteningly high. Let's let it go.

Solarwinds has developed a product that is used by its customers to update systems. This is the case, for example, of Microsoft and many others who used the product of Solarwinds known as "Orion", a product used by many organizations and companies to manage IT assets.

Probably in early 2020 Solarwinds sent updates that contained a backdoor cuts, which allowed hackers to access systems, to explore and exfiltrate data, but probably also to modify some of the data accessed. This means that the hackers had at least six months before they were caught. 

According to reports recently in the newspapers, investigators believe that there are Russian elements among the hackers and that it was a spying campaign. In this regard, it must be said that the Biden administration is working on the attribution of the attack. 

Among the victims, in addition to FireEye who first reported the incident, there are some of the main American institutions including the Department of State, the Treasury, Homeland Security, Energy and Commerce, National Institute of Health, and National Nuclear Security Administration but also several companies among the most largest in the world listed in the Fortune 500, including Microsoft, Cisco, Intel, Deloitte ...

According to expert analysis, once the hackers gained access to the victims' networks and systems, in many cases they manipulated a piece of Microsoft software called "Active Directory Federation Services" that deals with issuing "digital identities" for the victims. users, called "SAML Tokens". 

Now the discussion, even political, focuses on the fact that this attack technique was already known at least since 2017 when an Israeli researcher, Shaked Reiner, described this attack technique with the name of "Golden SAML Attack". In fact, there are many who demand explanations on why American networks and systems are not adequately protected despite the huge investments made in the sector. 

I am sure there is still a lot to be said about the case Solarwinds, however, I want to conclude with a consideration: our society is increasingly dependent on the Internet and digital systems. This addiction, however, is increasingly under siege by the growing risks associated with cyber attacks.

Probably the time has come for States to start working seriously and together to reduce risks through a serious shared strategy unless you want to risk canceling the last 50 years of digital development to search for a new, sustainable and safe way. .

To learn more:

FireEye hacked, by whom? - Online Defense

Sunburst: a Pearl Harbor Cyber? - Online Defense

FireEye Shares Details of Recent Cyber ​​Attack, Actions to Protect Community | FireEye Inc

FireEye Discovered SolarWinds Breach While Probing Own Hack - Bloomberg

Inline XBRL Viewer (sec.gov)

SolarWinds hack: Biden administration says investigation is likely to take "several months" - CNNPolitics

WH will 'sharpen the attribution' with Russia after SolarWinds hack (nypost.com)

Here's a simple explanation of how the massive SolarWinds hack happened and why it's such a big deal (businessinsider.fr)

Golden SAML: Newly Discovered Attack Technique Forges Authentication to Cloud Apps (cyberark.com)

What is Solorigate - Cybersecurity Insiders (cybersecurity-insiders.com)