How the SolarWinds Hackers Weaponized Cybersecurity Best Practices

The Solar Winds attack has demonstrated a painful reality: Hackers can cleverly use cybersecurity best practices as an infection vector.

The attack is believed to have compromised the U.S. government’s most sensitive records. Unfortunately, penetrating those secrets was not complicated for nation-state actors who pulled it off.

In March 2020, the company SolarWinds released a patch to their Orion software, a security best practice that should have protected the software provider and its clients from hackers. However, in this instance, an outside nation-state snuck malicious code into the patch, allowing hackers backdoor access into client’s networks.  The hack infected very secure companies, multiple U.S. government agencies and organizations including the reputable cybersecurity firm FireEye.

So, what went wrong? And what can we learn from this large-scale attack that has been blamed on the Russians?The hackers used the strategy of subtle reconnaissance to avoid detection of the hack for nearly nine months. After gaining access to a network, the hackers laid dormant for a few weeks before probing compromised networks.

The hackers disguised their malicious packets as packets created by the Orion software, allowing them to hide from network monitoring tools and anti-virus. The hack was finally detected in December 2020 when the cybersecurity firm FireEye, which uses SolarWinds Orion, fond that it had been compromised.

The hackers succeeded by weaponizing the tactics and methods organizations use to protect themselves from attacks.  For example, it is common practice for organizations to use only trusted and well-vetted software vendors to avoid a scenario where a third-party slips malicious code into their software on purpose, leaving systems vulnerable. Knowing that very secure companies only used trusted vendors, the Russian hackers chose SolarWinds as their attack vector, since it was already a widely used and well trusted company.

Another best practice exploited in this hack is that you should always update your systems as soon as possible. This best practice ensures that after the patch notes are released, which often list the security vulnerabilities fixed in the patch, hackers cannot exploit your systems. Knowing this, the Russian hackers attached their malicious code to a software update. Thus, the sooner a user installed the update, the more time the Russians had in that user’s network. This means that users who did not follow best practices and took their time to update or did not update at all actually ended up being in a better position than those who updated quickly.

The hackers also exploited a third best practice that encourages companies to perform vulnerability cans often and to continuously monitor their networks. The Russian hackers used frequent scans and monitoring to hide their own traffic. The hackers disguised their packets as Orion packets. Thus, the more a user did legitimate Orion scans the less suspicious the Russian packets appeared. This creates the paradoxical situation where a user who had the infected update but did not perform any scans was more likely to catch the infection than a user who performed frequent scans.

Since the Russians were able to use cybersecurity best practices as a weapon to infiltrate highly secure systems should we even have best practices? The obvious answer is YES! Despite the best practices failing to prevent an attack in this case, they are very helpful in preventing attacks in general. Any rational person will tell you that they would rather download their antivirus from Malwarebytes, a well-known and trusted company, than from antivirus.ru.

Similarly, patching is extremely vital to ensure security. For example, a patch to prevent infection by the infamous MS17-010 ExternalBlue hack was released a month before the exploit was made public. If everyone had followed the best practices and updated their systems immediately, the exploit would not have been possible. Likewise, frequent scanning does catch malicious software and prevents attacks before they cause any damage.

Just because these best practices were exploited in this one case does not mean we can forget about the millions of attacks they prevented.