Everyday people typically think about hacking as a targeted attack that penetrates a single system or device and pilfers off valuable digital assets. Cybercriminals, many believe, are like burglars orchestrating quick smash-and-grabs. The SolarWinds hack dispels that common myth and serves as a teaching moment. It illustrates the fact that clever cybercriminals can hide in plain sight indefinitely. Experts in the cybersecurity sector confirm the SolarWinds incident highlights a level of criminal sophistication that proves businesses and individuals must push back with constant vigilance.
According to news reports and U.S. Senate hearings, the SolarWinds information technology firm was successfully attacked, and hackers lay undetected for at least several months during 2020. Government officials again try to blame the infiltration on Russians and indicate the hack was a strategy to spy on private-sector corporations.
Among the key outfits that were reportedly penetrated was FireEye, a cybersecurity firm that works with high-level government agencies such as the Treasury Department and Department of Homeland Security, among others. Experienced cybersecurity professionals believe that the general public will never know how far-reaching the hack was because officials do not want the negative exposure.
“I think that we can start with the premise that we will never know exactly how far the hack went. SolarWinds will do everything in their power to suppress any evidence that will show incompetence,” Ilan Sredni of Palindrome Consulting reportedly said. “Yet, at the same time, the U.S. government has nothing to gain considering that some of their own offices were using the SolarWinds product.”
In 2020, cybercriminals infiltrated a SolarWinds system called “Orion” undetected and inserted malicious code. The firm enjoyed a customer-base of 33,000, and the malicious code was inadvertently forwarded to them in the form of software updates, according to the SEC. The code opened a backdoor for hackers to slip into wide-reaching private and government networks. Bad actors were then able to insert malicious software that allowed them to spy, steal, and copy digital assets at will.
As Sredni points out, companies can anticipate that comprehensive information could be difficult to access given the widespread embarrassment and potential liability. But other cybersecurity experts agree that hackers are typically inclined to spread their talons and pilfer off data for profit from peripheral organizations.
“Everyday users need to understand that they are targets because they are the weakest link. An average user may have no idea that they have been hacked. Most Threat Actors take pains not to be discovered and to stay in a compromised system for as long as possible. Users will have no idea that all their credit card numbers are being stolen, their processing power is being used to attack other systems, or their contacts lists are being harvested to open up new targets,” Carl Fransen of CTECH Consulting Group reportedly said. “On a national side, the IT firms and departments need to enforce stricter security measures. This goes beyond the simple firewall, password, and antivirus. The current security technologies such as identity management, data loss prevention, internal risk management, and external document protection need to be applied.”
Although the SolarWinds debacle is trending on national media outlets, business professionals would be wise to understand this is not an isolated incident. Nor does SolarWinds even come close to the most deceptive hacking scheme ever conducted. The Marriott hotel chain, for example, suffered a 16-month hack that compromised the personal identity data of an estimated 500 million guests. Even after taking measures to secure its systems, the corporation reportedly suffered another breach that impacted 5.2 million guests.
Business leaders would be wise to consider that the SolarWinds hack could be far more prevalent than media reports indicate. Cybersecurity experts believe these sophisticated hackers appear to possess the skill levels to sidestep standard protections across the board.
“I believe this will be a very invasive hack. They were able to get inside a patch update as part of the program. They got through all the protection layers because this is an approved application within most organizations that use it,” Ravi Jain of Technijian reportedly said. “Also, the platform generally has administrative credentials so that it can fully monitor all network devices. That means the malware could get onto any device that the platform was monitoring.”
Joe Cannata of Techsperts in New Jersey agrees that an increased number of organizations may be unwittingly compromised.
“I believe there is plenty more to discover with regard to the depth and severity of the SolarWinds hack. I don’t believe all the companies who have been impacted have been disclosed,” Cannata reportedly said.
If there’s a silver lining to the SolarWinds hack, it’s that businesses are more keenly aware of vulnerabilities. Cybercriminals were able to penetrate government systems ranked among the most secure in the world. That facet highlights the fact that ongoing efforts to monitor systems and harden defenses remain a business necessity.
“Cybersecurity is always evolving, and there are no static solutions. Considerable resources will need to be continually allocated to keep up the fight, which has no end in sight. I’m sure there are breaches that occur daily that the public is never made aware of,” Cannata reportedly said. “As cybersecurity policies continue to evolve, the average user will be made more aware of the steps they can take to protect themselves and their assets. The best advice for the average user is to enable multi-factor authentication on any and all accounts that provide the option. This is currently one of the best tools available to keep yourself and your assets secure.”
Organizations concerned about the possibility of the SolarWinds hack extending to their system would be well-served to contact a cybersecurity expert and have their system vetted for malicious software and vulnerabilities.