SolarWinds Provides Update on Major Hack Amid New CISA Venture
CISA aims to prevent major supply chain security incidents like the SolarWinds breach from happening again.
In a new blog post, SolarWinds said the company first noticed “suspicious activity” on its Orion platform in September 2019 — more than a year before discovering the malicious code now referred to as SUNBURST, which induced the December 2020 cyberattack.
According to SolarWinds, the SUNSPOT malware inserted the SUNBURST backdoor “into software builds of the SolarWinds Orion IT management product.”
In other words, the malware mimicked SolarWinds’ own IT product, slipping in during the development process.
“The design of SUNSPOT suggests [the hackers] invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” according to the blog post.
SolarWinds said it “identified two previous customer support incidents during the timeline referenced above that, with the benefit of hindsight, we believe may be related to SUNBURST.”
Both incidents prompted investigations, but SolarWinds never found the SUNBURST malicious code until December.
On the heels of the SolarWinds update, CISA launched a new Systemic Cyber Risk Reduction Venture, highlighting the SolarWinds Orion hack as a result of the “concentrated sources of cyber risk” the new venture hopes to address.
“The SolarWinds Orion cyber campaign has highlighted how tools that typically leverage a significant number of highly privileged accounts and access to perform normal business functions can themselves actually become adversarial attack vectors if insufficiently hardened,” wrote Bob Kolasky, CISA’s assistant director for the National Risk Management Center.
In the press release, Kolasky underscored open source code libraries as a significant cyber risk. Daniel Kroese, former associate director for CISA’s National Risk Management Center, specifically called out open source software at GovernmentCIO Media & Research’s Infrastructure: Foundations of the Future event.
“Software represents a potentially concentrated source of risk if you don’t have the vulnerability management and acquisition strategies around it,” he said during a panel on IT supply chain security. “We’re working to deploy a series of tools across government agencies, but also private sector partners in the critical infrastructure community to do this supply chain analysis so that if there are vulnerabilities … we can track it, understand where it is and patch that swiftly.”
Kolasky said the Systemic Cyber Risk Reduction Venture will prioritize “software assurance” because it’s an area with “systemic risk.”
In December 2020, CISA released its Information and Communications Technology Supply Chain Risk Management Task Force Year Two Report, which detailed ways in which federal agencies can take stock of their ICT supply chain risk, like software vulnerabilities.
To prevent major hacks like the SolarWinds breach from happening again, the CISA Systemic Cyber Risk Reduction Venture will develop a cyber risk analysis for critical infrastructure and cyber risk metrics, and identify and promote tools to address “concentrated sources of cyber risk,” like software supply chains.
This is a carousel with manually rotating slides. Use Next and Previous buttons to navigate or jump to a slide with the slide dots
-
Effective Cloud Governance Balances Innovation, Security
ULA and AWS leaders discussed strategies for secure cloud adoption, emphasizing effective permissions to balance innovation and security.
2m read -
GenAI Automates Space Force Data Discovery
Space Force’s Will Haskell discusses GenAI advancements that are streamlining data access and analysis and enhancing workflows.
2m read -
CBP Leads Federal Post-Quantum Cryptography Work
The agency began its post-quantum cryptography migration two years ago and thinks others would benefit from its lessons learned.
4m read -
How Marines' Project Dynamis is Supporting CJADC2 Data Effort
Col. Jason Quinter delves into the origins of Project Dynamis and how the program builds upon the Pentagon's larger strategy.
5m read