SolarWinds Attackers Focused on Cyber and Tech Firms

By and | January 29, 2021

Whether it was opportunity, strategy or sheer chutzpah, the suspected Russian hackers behind a massive cyber-attack revealed last month focused particular attention on technology companies, including cyber-security firms entrusted to find malicious activity in their clients’ networks.

Four cyber-security companies announced this week that they had been targeted as part of the attack, adding to a list of at least eight other tech companies that the hackers tried to breach. Many of the companies said they successfully blocked the attackers, but some others acknowledged that their networks were infiltrated.

Related:

Suspected Russian Hack of U.S. Government: Espionage or Act of War?

Insurers Not Quitting on Cyber Even as Risks Mount

The hackers may have focused on technology and cyber-security companies simply because, after government agencies, they were the next best targets. For hackers, cyber-security companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit, said Allan Liska, senior security architect at cyber-security analytics firm Recorded Future Inc.

Also, cyber-security and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims, Liska said.

“If you can compromise security infrastructure, you essentially have the keys to the kingdom and can run around undetected,” he said. “And we’re dealing with an advanced adversary who’s looking for this kind of access.”

In the case of SolarWinds Corp., for instance, the hackers installed malware in its Orion software, which is used by government agencies and Fortune 500 companies. The Texas-based firm said that as many as 18,000 customers may have received the malicious code in software updates, though far fewer are believed to have been subject to further attacks from the hackers.

In addition, the hackers targeted at least one reseller of Microsoft Corp.’s Office 365 tools, likely by digging up login credentials and then compromising the resellers’ clients, cyber-security experts say. The suspected Russian attackers used those tactics to target the cyber-security company Crowdstrike, which wasn’t ultimately breached.

The cyber-research firm Malwarebytes Inc. was also targeted after a third-party application that protects its Office 365 email was hacked, and the hackers gained access to a “limited subset of internal company emails,” Malwarebytes said.

There’s not yet any evidence that cyber-security companies were a launching point for a broader attack, only that the Russian adversary attempted to do so.

“This is a persistent, sophisticated attack that requires organizations to look carefully at the supply chain of their IT infrastructure, which cyber-security is a part of,” said Ryan Gillis, vice president for cyber-security strategy and global policy at Palo Alto Networks Inc. “When you look at the consequences, from that we’ve seen so far, everything points back to the IT supply chain.”

Hacking into cyber-security companies also provides attackers with advantages when launching further attacks, potentially providing them with detection tools or source code that they can use to avoid being caught, according to cyber-security experts.

“If I am trying to break into your house, the best way to go through is to disable cameras, electronic clocks; this will give me a tactical advantage,” said Alex Holden, founder and chief information security officer at Hold Security. “Knowing how to evade detection in cyber is almost the entire battle. If they have the detection tools in their pocket, they’ve taken our safeguards to use against us.”

Mimecast Ltd., an email security provider, said Tuesday that hackers had turned one of its security tools against it to view its customers’ Microsoft 365 accounts. Fidelis Cybersecurity Inc. said that the company is investigating evidence that it might have been targeted. Another cyber-security company, Qualys Inc. was also targeted but said in a statement that “there was no impact on our production environment nor exfiltrated data.”

Palo Alto Networks said it was targeted by the same hackers in October but successfully stopped the attacks.

The hack was disclosed in December by the cyber-security company FireEye Inc., which itself was attacked. About 10 U.S. government agencies were infiltrated as part of the attack, including the departments of Justice, Treasury and Homeland Security. Among the other technology companies that were targeted for further attacks were Microsoft and Cisco Systems Inc. U.S. officials have said they believe hackers associated with the Russian government are behind the attack.

The attack isn’t the first time that cyber-security firms were compromised by hackers. In 2011, for instance, EMC Corp.’s RSA unit was breached, and two years later, the security firm Bit9 revealed that it had been hacked. Juniper Networks Inc. said it too was compromised in 2015.

Even so, trying to target cyber-security companies comes with its own perils. After all, the alleged Russian hackers could still be roaming undetected through U.S. government networks, and those of various companies, if they hadn’t decided to break into FireEye’s computers.

“Attackers are getting more sophisticated, and pursuing persistence over time instead of smash and grab techniques,” said Jim Jaeger, a former U.S. Air Force brigadier general who is now president and chief cyber strategist at the cyber investigations firm Arete Advisors LLC. “Now they’re aspiring to use cyber-security tools to get inside our networks. They’re taking our safeguards and using them against us.”

–With assistance from Jamie Tarabay.

Topics Cyber InsurTech Tech

Was this article valuable?

Here are more articles you may enjoy.