In a new blog post, SolarWinds said the company first noticed “suspicious activity” on its Orion platform in September 2019 — more than a year before discovering the malicious code now referred to as SUNBURST, which induced the December 2020 cyberattack.
According to SolarWinds, the SUNSPOT malware inserted the SUNBURST backdoor "into software builds of the SolarWinds Orion IT management product.”
In other words, the malware mimicked SolarWinds’ own IT product, slipping in during the development process.
“The design of SUNSPOT suggests [the hackers] invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers,” according to the blog post.
SolarWinds said it “identified two previous customer support incidents during the timeline referenced above that, with the benefit of hindsight, we believe may be related to SUNBURST.”
Both incidents prompted investigations, but SolarWinds never found the SUNBURST malicious code until December.
On the heels of the SolarWinds update, CISA launched a new Systemic Cyber Risk Reduction Venture, highlighting the SolarWinds Orion hack as a result of the “concentrated sources of cyber risk” the new venture hopes to address.
“The SolarWinds Orion cyber campaign has highlighted how tools that typically leverage a significant number of highly privileged accounts and access to perform normal business functions can themselves actually become adversarial attack vectors if insufficiently hardened,” wrote Bob Kolasky, CISA's assistant director for the National Risk Management Center.
In the press release, Kolasky underscored open source code libraries as a significant cyber risk. Daniel Kroese, former associate director for CISA’s National Risk Management Center, specifically called out open source software at GovernmentCIO Media & Research’s Infrastructure: Foundations of the Future event.
“Software represents a potentially concentrated source of risk if you don't have the vulnerability management and acquisition strategies around it,” he said during a panel on IT supply chain security. “We're working to deploy a series of tools across government agencies, but also private sector partners in the critical infrastructure community to do this supply chain analysis so that if there are vulnerabilities ... we can track it, understand where it is and patch that swiftly.”
Kolasky said the Systemic Cyber Risk Reduction Venture will prioritize “software assurance” because it’s an area with “systemic risk.”
In December 2020, CISA released its Information and Communications Technology Supply Chain Risk Management Task Force Year Two Report, which detailed ways in which federal agencies can take stock of their ICT supply chain risk, like software vulnerabilities.
To prevent major hacks like the SolarWinds breach from happening again, the CISA Systemic Cyber Risk Reduction Venture will develop a cyber risk analysis for critical infrastructure and cyber risk metrics, and identify and promote tools to address “concentrated sources of cyber risk,” like software supply chains.