Ah, the week before the holidays. A great moment to take a breather after a difficult year, cut out early, do some online shopping, spend time with the family.
Not in the world of enterprise security technology — at least not this week.
“The week has literally exploded,” said Alex Gounares, founder and CEO at Bellevue, Wash.-based security tech company Polyverse. “It is tough to overstate the impact of the SolarWinds breach. Much has been written about the immediate impact, but what is even more concerning is the damage that is yet to come. The attackers have had months of unfettered access to SolarWinds customers — what else did they do? How many more backdoors are now planted all over those organizations?”
Those are just some of the unanswered questions and far-reaching implications of the SolarWinds breach, in which hackers believed to be connected to the Russian government infiltrated computer systems at companies and U.S. government agencies by illicitly inserting malware into software updates for a widely used IT infrastructure management product.
Discovered on Dec. 8, the attack has been taking place under the radar since March, according to the U.S. Cybersecurity & Infrastructure Security Agency.
The scale and sophistication of the attack are “amazing,” said Michael Hamilton, co-founder and chief information security officer of Seattle startup CI Security. “What I’ve learned is that tactics used by nation-state actors are now being deployed very broadly across the government and business community, and the gloves have really come off.”
SolarWinds, based in Austin, Texas, said about 18,000 customers may have installed the compromised software.
“What happened with SolarWinds is indicative of how incredibly sophisticated cyberattacks have become, and how far-reaching their effects are once a system has been infiltrated,” said Eugenio Pace, CEO and co-founder of authentication technology company Auth0. “We probably won’t know the full extent of damage for a while, unfortunately. This type of attack just proves that there will always be a level of sophistication and breadth that can impact even the most prepared companies.”
Security startups have been working long hours to help their business customers detect the presence of the malicious code in their systems.
“This particular piece of malware is is difficult to detect. It lies dormant for long periods of time,” said Jessie Rothstein, co-founder and chief technology officer at Seattle-based network security company ExtraHop. “It doesn’t create a lot of activity. … This is one of the reasons why I’m concerned that we’re only just beginning to understand the implications of this attack.”
Another challenge is the surreptitious nature of the backdoor attack.
“I can tell you without a doubt that this backdoor was installed, and it was wide open, at a large number of organizations,” Rothstein said. “What’s difficult to say is, did anybody walk in through that backdoor? And did anybody leave through the backdoor with valuables? … And we do not know if they left other doors unlocked, or if they establish persistence through other mechanisms.”
While tech security startups are careful not to be viewed as capitalizing on the incident, in many cases the situation demonstrates the need for the types of technologies and services they offer.
ExtraHop’s Rothstein, for example, pointed out that network detection is one of the best ways to sniff out signs of the hack, due to the way the malicious code sits dormant. Gounares cited the importance of businesses having complete control of their software stack, which is the focus of Polyverse’s flagship product, to defend against attacks coming in through the software supply chain, as was the case in the SolarWinds hack.
One key takeaway is that the attack marks a new era, and it’s only the beginning.
“The larger implications for IT security are that this event is moving from an espionage focus to a criminal one,” said Hamilton of CI Security. “There isn’t a bright line between state and criminal actors in certain countries, and persistence gained in networks using SolarWinds may be transitioned to organized crime. Translation: affected companies may be extorted using ransomware soon.”