You don’t have to work in cybersecurity to be aware of the recent discovery that a sophisticated state actor had potentially compromised tens of thousands of private companies and government institutions in the Americas, Europe, and the Middle East. The means was a software supply-chain: attackers breached the software distribution infrastructure of tech vendor SolarWinds, embedding malware in its popular Orion network management tool. When customers downloaded the latest Orion product update, the malware surreptitiously spread throughout their organizations, in many cases finding and forwarding sensitive data to external servers controlled by the attackers.

The attack used many ingenious techniques to evade detection by its victims’ IT operations monitoring tools and cybersecurity countermeasures, masquerading its malicious tools, utilities, and network usage as legitimate processes and traffic. The sophistication, long arc of the attack (believed to have begun in October 2019 and only discovered with a bit of luck in December 2020), and the requisite skills, commitment to success, and funding necessary to carry it out classifies it as an Advanced Persistent Threat (APT) attack that is generally only carried out by hostile national intelligence agencies (in this case, allegedly Russia’s Foreign Intelligence Service.)

Now comes news that SolarWinds was not the only victim of this APT. Cybersecurity vendor Malwarebytes disclosed earlier this week that it had also been victimized by the same threat actor behind the SolarWinds attack, though via a different threat vector – it exploited certain applications with privileged access to Microsoft 365 and Azure environments. Malwarebytes asserts that only a limited number of its internal company emails were stolen and that its own software repository had not been corrupted. (Earlier disclosures by vendors that believed they had been targeted by the same APT include Microsoft and cybersecurity firms FireEye and CrowdStrike, though the latter claims the attack failed to penetrate its network.)

If the SolarWinds APT missed you, don’t get cocky

The SolarWinds attack represents a leap forward in APTs conducted against private enterprises and government organizations in its scale, scope, and sophistication. No private business, public institution, tech vendor, or service provider should be laughing or pointing fingers at the initial victims of the attack, nor the members of their software supply chain that were also comprised as a result. The fact is that any state actor that is determined to mount an APT attack on you will eventually succeed. Most companies only invest in security defenses in anticipation of attacks by cybercriminals, and hope that their countermeasures will be good to discourage attackers into moving on to assail other, more vulnerable targets.

That “good-enough security” baseline does not pass muster with state actors mounting APTs: they have comparatively unlimited resources, skills, time, and patience. Should they set their sights on you, most of the time they will eventually succeed. In light of this dire fact, what can you do to at least reduce your risk of being victimized by a similar attack, one that could cause great harm to your reputation if you become a conduit to pass the malware on to your partners and customers? Here are a few recommendations:

  • First, tend to your own backyard by renewing your commitment to building a multi-layered, defense-in-depth security architecture. Consider following an open security framework like NIST 800-171 or ISO/IEC 27001 to help work through various potential risks, identify your softest spots, and shore up those defenses.
  • Next, evaluate your vendors and service providers as a potential source of risk to you. (Acronis will soon publish an e-book with recommendations on this very topic.) Consider that any weak link in your software supply chain, as SolarWinds proved to be to its customers, is a potential avenue to the theft or destruction of your sensitive data.
  • Revisit your incident response management policy, and if you don’t have one start building one immediately. Assume that some kind of cybersecurity attack on you will eventually succeed despite your best efforts to deploy comprehensive defenses, build solid security policies, and invest in good people. A well-constructed and regularly-rehearsed incident response plan can significantly limit the damage from a cybersecurity incident, reduce the external blowback from investors, partners, and customers, and preserve the kind of forensic evidence you’ll need to avoid a recurrence of the particular attack.

Additional resources:

If you are an Acronis distributor, reseller, or managed services provider partner, be sure to register for and attend our upcoming Acronis 2021 #CyberFit Partner Kickoff, which will feature a keynote on mitigating software supply-chain risk from cybersecurity maven Bobby Kuzma of the Herjavek Group