Sun Tzu taught that, when it comes to the art of cybersecurity, you must be wary of your business partners and other third parties.
Unless you are living under a rock, you should have heard that FireEye–perhaps the preeminent cybersecurity firm on the face of the planet–was the victim of a successful cyberattack. So were the US Treasury, the Department of Commerce, and other governmental agencies. Both were revealed within the past week.
The timing of these was interesting to me. I first thought the FireEye Red Team Tools was likely what was used to successfully attack the agencies. I was wrong. It turns out there wasn’t this cause and effect relationship, but they were related and the roots of this attack go back to the teachings of Sun Tzu around 500 B.C.
Do you know how both FireEye and these agencies were attacked?
In both cases, the cyber threat actors obtained access from a third-party vendor’s tool that provided them with, essentially, a backdoor into their networks. That is, an indirect means of access. This tool is SolarWinds’ Orion Network Management Products which allows for the remote management of networks:
The motive and the full scope of what intelligence was compromised remains unclear, but signs are that adversaries tampered with a software update released by Texas-based IT infrastructure provider SolarWinds earlier this year to infiltrate the systems of government agencies as well as FireEye and mount a highly-sophisticated supply chain attack.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said Brandon Wales, acting director of the US Cybersecurity and Infrastructure Security Agency (CISA), which has released an emergency directive, urging federal civilian agencies to review their networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately.
SolarWinds’ networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.
It also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.
Source: US Agencies and FireEye Were Hacked Using SolarWinds Software Backdoor (The Hacker News)
What did Sun Tzu teach us about this technique?
In all fighting the direct method may be used for joining battle, but indirect methods will be needed to secure victory.
You can be sure of succeeding in your attacks if you attack places which are not defended.
The spot where we intend to fight must not be made known; for then the enemy will have to prepare against a possible attack at several different points; and his forces being thus distributed in many directions, the numbers we shall have to face at any given point will be proportionately few.
Most businesses focus their energy on securing their own networks but focus very little on examining the networks of their business associates and other third parties that they allow to access their networks. While I am confident that SolarWinds was being very diligent in protecting its tools and this was not an attack vector that was “not defended,” and I am also confident that FireEye and these agencies did not ignore this risk, this situation does highlight another issue: Regardless of how well defended, the SolarWinds Orion attack vector was out of the control of both FireEye (perhaps) and the agencies (most certainly).
Smarter people than I will delve into the particulars and technical details of these attacks and the prior due diligence and ongoing monitoring for this vendor. That is not the point of this post. What I can say, however, which is the point of this post, is that cyber threat actors regularly use third-parties to attack their intended targets and all companies must be aware of this and must be vigilant in protecting themselves to the extent possible.
As they say, there is nothing new under the Sun 🙂 … around 500 B.C. Sun Tzu taught that if an enemy– a cyber threat actor–wants to attack your company’s computer network, they would be wise to do so by attacking indirectly, such as through your company’s business associates and other third-parties who have access to your network. Cyber threat actors may be a lot of things, but they are not dumb … the successful ones, anyway.
While you’re here, check out these posts!
- What did Sun Tzu teach about cybersecurity?
- Corporate Espionage: Hacking A Company Through A Chinese Restaurant Takeout Menu
- Third-Party Risk in Cybersecurity Exemplified by North Korea’s Stealing of US War Plans
- Hacked F-35 Fighter Info from Australian Contractor Exemplifies Third-Party Risk in Cybersecurity
- The Nature of Cybersecurity and Strategies for Unprecedented Cyber Attacks
- The Art of Cybersecurity: How Sun Tzu Masterminded the Home Depot Data Breach
Update – InfraGard Advisory
InfraGard Sent the following to members, which I am passing along here:
***This message is intended for widest distribution***
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of a vulnerability in SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, which was released between March 2020 through June 2020.
In response CISA has published an urgent Current Activity Alert “Active Exploitation of SolarWinds Software“ which can be found at:
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software and Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise,” directed at Federal Civilian Agencies, further emphasizing the urgency of this Alert: https://cyber.dhs.gov/ed/21-01/
CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures:
SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures
Additional Resources on Attack
- CISA Alert (AA20-352A) – Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
- Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers (Microsoft)
- The SolarWinds cyberattack: The hack, the victims, and what we know (Bleeping Computer)
- Hacked networks will need to be burned ‘down to the ground’
- SolarWinds Adviser Warned of Lax Security Years Before Hack
- U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise (Krebs on Security)
- Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
- The State-Sponsored Hackers Are Winning
- Russian hack was ‘classic espionage’ with stealthy, targeted tactics
- Leading Digital and Cybersecurity Risk Factor Disclosures for SEC Registrants (Harvard Law School Forum on Corporate Governance)