NTT Ltd has warned of continuing and ongoing fallout from the SolarWinds breach. The warnings come in the latest Global Threat Intelligence Centre monthly report. Most security vendors are convinced that this attack was the work of one or more Russia-based groups. NTT agrees, at present, but also warns: “Analysts must remain vigilant in their research, identify and verify, or disprove connections between Sunburst, Kazuar and the Turla Group as more attack details are ascertained.”
There are several reasons for this warning. The first is the embarrassment caused to the cybersecurity industry after an attack on German politicians. After months of vendors attributing the claim to state-sponsored actors, it turned out to be a disaffected and bored teenager. The second, and more important, is the accessibility of Malware as a Service platforms. Malicious actors rent out infrastructure and tools to each other. This helps to obfuscate the real actor behind an attack. They also trade stolen data. It may be that without further explicit intelligence, the real actors behind the SolarWinds attack may never be identified.
Digital forensics must be a priority for anyone affected
It is now over a year since SolarWinds was breached. After sitting in the company’s email systems for over three months, the attackers began their attack. It means that there are still potential attacks to be uncovered and unknown victims. The GTIC report calls out several indicators that customers should be dealing with. It also says that more investigation must be done.
One of the challenges for many organisations is digital forensics. According to Azeem Aleem, Vice President Cyber Security Consulting: Global Digital Forensics and Incident Response Lead: “The SolarWinds cyberattack is a crucial lesson in the sheer importance of robust supply-chain security practices. This attack was specialised, with the threat actors aggressively covering their tracks by covertly deleting the event and activity logs, thereby reducing the forensic evidence for tracking and evidential capture.
“While cyber analysts are learning more and more about the impact of the malware that infected the SolarWinds software, the complete threat landscape still remains unknown. As new attack vectors and victims emerge every day, organisations across the globe should stay on high alert around possible threats to their supply-chains.
“Minimising the breach exposure time by proactive incident detection and response is another key component, enabling cybersecurity teams to identify potential problems in their technology infrastructure and take steps to close the gaps. Actionable Intelligence can be used to proactively boost cyber defences for the future.
“Organisations must consider that more threat actors are likely to mimic the success of this attack. Reducing the impact of the SolarWinds breach requires ongoing global collaboration between its victims, digital forensics teams and technology companies as well as action to combat future threats.”
Enterprise Times: What does this mean?
The fallout from SolarWinds is likely to be an issue for at least 2021 as more details are uncovered. This week a new attack by suspected Chinese, not Russian, attackers and related to SolarWinds has been revealed. It targeted the US National Finance Center, a federal payroll agency. At the same time, Trustwave revealed two more vulnerabilities in SolarWinds software. While they have been patched, it shows that attacks like this are very difficult to resolve.
The issue for many organisations is not just the types of attack, but how long some attacks may sit in their systems before they are executed. This is where forensics become critical and is something that many organisations are poorly positioned to do themselves.
The other major threat here, and called out by Aleem, is the risk of copycat attacks. This could come from other malicious actors renting malware and infrastructure from the original attacks. It could equally come from information sold by the original attackers. Wherever it comes from, organisations need to rethink how they verify and secure their IT estate.