The last major cyberattack that took place in 2020 highlights just how turbulent the last year has been in terms of cybersecurity. Sunburst has hit hundreds of large organizations through a sophisticated cyberattack for which damage assessment is still underway. This supply chain attack went undetected for months and has also affected certain institutions that should, theoretically, have the best possible cybersecurity measures available, such as the NSSA, an agency within the US Department of Energy which controls the nuclear weapons stockpile. This has also had a geopolitical impact.
The fact is that, while the origin of this malware is not known for certain, given its level of sophistication and the objectives it targets, suspicions point towards organizations connected to the Russian government and, as such, yet another episode of cyberwarfare. “This is a patient, well-resourced, and focused adversary,” CISA, the U.S. Cybersecurity and Infrastructure Security Agency said in a bulletin detailing the severity of the attack. The agency has confirmed that, for the time being, the cyberattack has only been neutralized in private organizations such as Microsoft, one of the corporations that has confirmed the presence of Sunburst and its subsequent neutralization.
Yet although private corporations have managed to deal with the attack, the same does not apply to government organizations, where it is a “developing situation”, as the FBI, CISA and the Office of the Director of National Intelligence (ODNI) have termed it in have termed it in a joint statement joint statement. Naturally, the main concern about this sophisticated cyberattack is focused on data obtained relating to the stockpile of nuclear weapons.
Difficult to detect_
As with many supply chain-type cyberattacks, this malware has proven difficult to detect as it takes advantage of a legitimate third-party component: in this case, a software update that has been trojanized. The affected platform is the SolarWinds Orion network management platform. Cyberattackers inserted Sunburst in a trojanized update which, moreover, has been signed as authentic and deployed massively across organizations.
Companies such as Microsoft, Intel, Cisco, and SAP are among the 18,000 customers to have downloaded the update, as confirmed by SolarWinds itself. Though, despite the large number of downloads, there are only 150 and 200 organizations that have been affected, mainly in the United States. Nevertheless, although the scope of the attack has not been so great, its severity lies, as mentioned above, in the difficulty to detect it and consequently in the time it has been working unnoticed as a tool for cyberattackers. In this respect, Sunburst is estimated to have started operating between March and June 2020, and the attack has escalated on at least one occasion.
Trojans in legitimate software_
As noted, Sunburst has trojanized an Orion software update, which has such authenticity that no organization has detected its presence. The number of cyberattacks with these characteristics is by no means small. A Ponemon Search study in 2020 revealed that, for the 51 percent of organizations that had made insurance claims due to a cyberattack incident, there was a third-party involved, who was usually a partner or technology service provider.
Although not all the details of this attack have come to light, it is clear that once the malware, delivered hidden in an Orion update, has accessed an organization’s network, it remains dormant accumulating data concerning its host. After 10 to 14 days, Sunburst sends the data to a remote command and control (C&C) server and, at this point, adversaries analyze this information and escalate the attack on the targets they consider worthwhile.
Zero trust by default_
The weak point exploited by supply chain attacks, a term which refers to attacks channeled through suppliers of products or services that are not within the direct scope of an organization’s protection, is that these organizations have an obsolete approach to cybersecurity, in that software is trusted simply because it comes from supposedly legitimate sources.
Therefore, in the face of cyberattacks of this type, it is essential to implement a cybersecurity approach that starts from the premise of not trusting, by default, any application. This is the case with the Zero-Trust Application Service which exists in all Cytomic solutions and prevents the execution of any software element, however trustworthy it may seem, without first being verified. This is how the chances of malware like Sunburst using the supply chain as its attack vector can be minimized.