Giant SolarWinds hack not the first of its kind
- March 12, 2021
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyber Crime, Cyber Crime, Cyberattack, Cyberattack, Industrial Control System Security, Posts with image, Power Grid, Power Grid, Supply Chain Security
Should we have been better prepared?
A SolarWinds-style cyberattack happened long before the big attack in 2020 that affected big government agencies and thousands of companies. What did we learn from that previous cyber siege — if anything at all?
Not the First Time
Software company SolarWinds announced the massive cyberattack in December 2020.
But it wasn’t SolarWinds the attackers wanted. It was the company’s big customers, including the U.S. Department of Homeland Security, the U.S. Treasury, the Department of Energy and the National Nuclear Security Administration.
Attackers poisoned the code in one of SolarWinds software products, called Orion, and watched as agencies and companies unknowingly downloaded the malicious software onto their systems.
“Took me about 10 seconds. Like, ‘Oh boy, we’ve seen this again,'” said Eric Byres, CEO of cybersecurity company aDolus.
A cyberattack group called Dragonfly attacked power plants and industrial sites in 2013 and 2014, employing a very similar tactic.
“The technique of injecting into a supply chain is absolutely identical,” Byres said.
Dragonfly hit three companies in Europe that made software for plants, infiltrating and contaminating some software available for download.
When plant employees downloaded the software, they also downloaded malware known as Havex, which was designed to target industrial control systems, according to Erik Hjemlvik of Netresec.
The malware created a backdoor, or secret connection, so attackers could infiltrate the industrial and power plants and suck away info about how to run and control these critical systems.
Trusting the Supply Chain
Employees had no idea they had introduced spies and even nation-state attackers into their own networks.
“And because it came from a trusted site, they would — even if the antivirus went nuts on them — they’d say, ‘No, false positive, must be good,'” Byres told Archer News.
“They walk it into that plant, deep inside the plant. And for the attackers, this was heaven,” Byres added. “This is way more effective for a bad guy than we thought. This really, really works.”
What did we learn from the Dragonfly Havex attack?
“I don’t think we learned anything from Havex,” Byres answered. “Sadly, I think we learned almost nothing.”
The names of the ultimate victims — the power plants and energy companies in the U.S., Spain, France, Italy, Germany and Poland that downloaded Havex from the suppliers — were not made public. Without names, the threat seemed far away.
“It was very easy for the board of any company in North America, every power company, every oil company, every products company to go, ‘Oh yeah. Havex. Well, that was something that’s a problem over in Europe to some company I don’t know,'” Byres explained.
Archer News contacted the three companies reported to be software infiltration targets in the Dragonfly attacks.
We asked MB Connect Line, Ewon and MESA Imaging (purchased by Heptagon, which was later purchased by ams) what they learned from Havex.
Not one answered.
Byres said we still trust too much, leaving software unprotected and downloading software without checking its history, allowing these supply chain attacks to continue.
This time, the targets were not industrial, but included sensitive and critical U.S. government agencies.
What to Do?
Byres developed a platform to dissect what’s inside software, to see what’s inside your ‘can of soup,’ so to speak. It wouldn’t have prevented the SolarWinds attack, he said, but it would help uncover it.
“We need to start getting visibility into the bits and pieces of software that we load onto our plants,” Byres said.
“Where did I get it? Where did my suppliers get it from? Where did their suppliers get it from?” he asked. “If we don’t have the visibility, the bad guys will coattail in on something.”
Organizations need to be careful about what software they trust, Hjelmvik told Archer News.
They need to limit Internet traffic going out of their networks, which could make it harder for attackers to do malicious things with the systems.
Also, they should instrument their systems better so they can do forensic analysis after an attack and find out what happened, he recommended.
“Software supply chain attacks is a problem we need to learn how to handle,” Hjelmvik said.
Close to Home
The Havex attack may not have moved the security needle much, but experts say the latest SolarWinds attack probably will, as supply chain attacks hit home and people realize they need to protect themselves.
“I’m hopeful,” said Byres. “I think we’ll get on top of this like we’ve gotten on top of everything else, but there’s going to be some pain on the way there.”
Main image: North Sea sunset. Image: Kordi Vahle