For corporate IT and cybersecurity professionals, the 2020 holiday season was filled with stress and long days as teams scrambled to assess whether their networks were penetrated by the widespread and stealthy hack known as Sunburst. Even more unsettling: for at least nine months before it was detected in early December, the malware had been spreading through the networks of as many 18,000 users of Solar Winds’ Orion network management software.
In a recent webinar, Resilinc’s co-founder and CTO Sumit Vakil warned that supply chain managers should also be proactively investigating how Sunburst may have affected their suppliers—and what mitigations those potentially affected suppliers are undertaking. “Right now, your IT organization is in fire drill mode. This is a massive crisis the likes of which they’ve never seen before,” said Vakil. “Chances are they’re not going to have time to think about how your suppliers or vendors may have been impacted.”
“Even if your own organization is secure, all the emails and documents that you’ve shared with suppliers, including those with sensitive IP such as instructions, build plans, and other trade secrets could become available to the hackers,” said Vakil. “Even if your communications go through a secure FTP server, chances are your supplier downloads them and puts them on Microsoft Sharepoint, which can be accessed by Sunburst.”
Vakil added that this risk extends to more than suppliers of services, parts, and materials. “Vendors who manage employee data or even your accounting firms could be impacted by this.”
Considered an “advanced persistent threat” (APT) likely originating from Russian-sponsored cyberwarfare actors, Sunburst “takes over whatever server it’s installed on and steals administrative level permissions from Microsoft Active Directory,” explained Vakil. “Then it can access the emails of high-level executives, IT staff, and others and exploit that access to work its way deeper into the network.”
Sunburst’s existence was revealed December 1 by the security firm FireEye, which announced that hackers had stolen some the firm’s “red team” tools—software used by teams of experts who act like hackers, trying to attack networks in search of vulnerabilities. Over the ensuing weeks, the extraordinary extent of Sunburst’s penetration was revealed as companies from Microsoft to Deloitte announced their networks had been hacked.
For security reasons, most companies that have been hacked will not reveal it publicly, and the full extent of the penetration may never be known. According to Vakil only a few attacks have been discovered but there’s a good chance there are a lot of latent hidden attacks that are yet to be discovered. What’s more, experts don’t fully understand the scope of the problems that Sunburst could have introduced into a network.
For supply chain practitioners and teams, Vakil recommends contacting suppliers and vendors – starting with their most critical ones – to inquire whether they run the Solar Winds’ Orion software and—if yes—what mitigations they’ve implemented (Resilinc customers can access a Sunbust supplier risk assessment survey through their account).
“It is not easy to figure out if a network has been compromised, so it’s a good idea to focus on whether your suppliers have implemented the mitigations recommended by CISA and Microsoft,” said Vakil. “As more suppliers start implementing these recommendations, some of the known issues will be addressed and we can have some level of confidence that supplier companies are doing something to address the hack. And it they are one of the approximately 18,000 companies that could be impacted, they’re putting in mitigations so the known attacks can no longer leak data.”
While this is a good starting point, companies need to remain vigilant on an ongoing basis: security experts agree that the scope of this attack could be far broader than what has been identified so far.
According to Vakil: “Supply chain teams will need to ensure that their suppliers are constantly monitoring their active directories to watch for fake accounts, elevated permissions, and other indications of a hack. You’ll need to make sure you and your suppliers are on top of the latest findings about Sunburst and implementing the most up-to-date recommended mitigations. This is the only way to make sure your suppliers are doing everything they can to protect your IP and your sensitive data.”
For more details on the Sunburst hack and risk management best practices, please listen to our recent webinar: SUNBURST: SolarWinds Orion Cybersecurity Attack Update.
For more information on Resilinc’s supplier assessment services – which include risk assessments for cybersecurity – please contact us.