Unquantified consequences of SolarWinds cyberattack

Paris (AFP) –


Thousands of companies and institutions across the globe are having to check if they have been hacked via security software from Texan firm SolarWinds at the heart of a cyberattack on several US government agencies.

Here is what we know to date about the sophisticated attack:

- How did the hackers get in? -

The hackers managed to compromise and instal malware on a piece of security software -– the Orion security tool developed by SolarWinds which is used for management and supervision of IT networks at many large companies and several US government agencies.

The attack was discovered by cybersecurity company FireEye, which, along with SolarWinds, has pointed the finger at hackers linked to the Russian government.

The hackers reportedly breached software used by the US Treasury Department, the Commerce Department and the Department of Homeland Security, allowing them to view internal email traffic, prompting an FBI investigation.

The software had enjoyed much commercial success based not least on its state of the art ergonomic interface.

The malware was laced into the software updates that breached network security and allowed access to data including mail, with FireEye saying the breaches began around last March.

- Who are the victims? -

According to SolarWinds, some 18,000 users of Orion have potentially suffered a security breach, including government agencies and Fortune 500 companies.

For now, experts say the hackeers seem primarily to have used a security flaw, dubbed Sunburst, to break into US governmental agencies, insert malicious code and gain access to data to aid state espionage.

FireEye discovered the flaw through its own usage of SolarWinds and was itself affected by certain tools it was deploying to test its clients' security.

According to FireEye, what it termed a state sponsored attack targeted governments as well as leading global enterprises notably in the technology and energy sectors in North America, Europe, Asia and the Middle East.

According to Jacques de la Riviere, who runs French cybersecurity firm Gatewatcher, it remains "too early" to know which other firms or institutions have been infiltrated.

The actual content of what the hackers were targeting and to what extent they were successful also remains unknown.

Cybersecurity systems across the globe are on alert to track any sucpicious activity which could suggest the compromising of data held by SolarWinds.

Firms or institutions which have used infected updates are urged to disconnect their servers and then track if there are any telltale signs their data may have been compromised.

- Who is to blame?

FireEye and Microsoft believe the attack was by a nation state and expert analysis has pointed the finger at Russia, as have anonymous US security sources. As yet, Washington has yet to give the accusation its official seal.

These US sources have shone their investigative torch on an organisation known as advanced persistent threat (APT) 29, or Cozy Bear, which is believed to be linked to one or more Russian intelligence agencies and has previously pirated the White House under President Barack Obama.

- Lessons to learn -

Jacques de la Riviere says he has for his part responded by ramping up protection on his own servers.

Beyond that he hopes that this high-profile attack will encourage firms and institutions to be more demanding when it comes to stewardship of their data and software security which were shown up by the Orion breach.

He hopes that "this could be a turning point, where many clients are going to start saying 'I no longer want to purchase software that has not been certified by a third party.'"