Defending against supply chain attacks like the SolarWinds breach

The success of the massive SolarWinds supply-chain attack presents an urgent new cybersecurity challenge to every business. We plumb the tactics used in the SolarWinds breach and show how Acronis defends against it and similar attacks.

The SolarWinds breach that was first reported by cybersecurity vendor FireEye in early December 2020 has emerged as one of the most sophisticated and successful cyberattacks on Western government institutions and businesses in history, with its extent and gravity becoming clearer and more alarming by the day. As of this writing, a hacking group purportedly affiliated with Russia’s Foreign Intelligence Service – an espionage-focused security apparatus analogous to the USA’s National Security Agency – had successfully penetrated thousands of large global enterprises and multiple US federal government agencies, including the Departments of Homeland Security, State, Treasury and Commerce. While 80% of victims are believed to be US-based, the attack also compromised targets in Canada, Mexico, the UK, Spain, Belgium, Israel, and the UAE.

Acronis products already protect partners and customers against the core elements of the SolarWinds breach. The Acronis Cyber Protection Operation Centers (CPOC) team has already implemented signature-based, behavioral, and AI-based detection and termination capabilities for all processes involved in the incident, distributed them across its partner base, and published a corresponding Smart Alert. (See below to learn about the additional steps Acronis takes to secure its software development and distribution processes.)

We’ve prepared a detailed look at this attack to ensure our partners and customers are informed and taking the steps they need to enhance their security.

Historic SolarWinds breach

The SolarWinds breach is the largest extant example of a so-called supply-chain attack, in which an adversary compromises a trusted source of software, firmware, or hardware, embedding surveillance tools and other malicious code. The initial target can be a vendor’s private repository or app store, or a public code-sharing repository like GitHub. A potential breach is enabled whenever a user installs the compromised software update, firmware update, or hardware.

In the case of the SolarWinds breach, attackers managed to penetrate the tech vendor’s private repository for Orion, one of its popular services for monitoring and managing tech infrastructure and cloud services. Such tech-support tools are a popular target for attackers because, by their nature, they can easily provide access to the entire business as well as its customers, its partners, and even its partners’ customers.

The attack, believed to be years-long in duration from its inception to its recent detection, is also a trenchant example of an advanced persistent threat (APT) attack: a sophisticated, multi-stage effort most often undertaken by nation-states that have the deep pockets, patience, and skills required to mount them. APTs are by their nature designed to evade detection over the long term, thus are difficult to defend against and then to root out completely once they have been discovered.

Given the relative cybersecurity sophistication and big tech budgets of many of the victims, the global attack raises serious questions for Acronis partners and customers: how exactly did the SolarWinds supply-chain attack work, and how does Acronis help protect you against it and similar threats?

How the SolarWinds Orion attack worked

The attack followed the classic multi-stage tactics of APTs: initial compromise, communication to an external command and control server to download additional malware, surveillance of the tech environment to identify vulnerabilities, escalation of privileges, lateral movement within and beyond the network to infiltrate other accessible targets, and then execution of the ultimate attack – in this case, the theft of valuable data.

Specifically, hackers first compromised the private SolarWinds software repository, embedding malicious code in an update to its widely-adopted Orion IT services monitoring and management product. Tens of thousands of customers routinely installed the update as it was pushed to them (as is normally a best practice, as such updates include patches to close known security vulnerabilities and enable new features). Subsequent updates also included the malicious code.

With this beachhead established within the targets’ private networks, the attackers were able to download malicious tools to thousands of target companies and government institutions, then start surveilling and mapping out each tech environment – its internal network topology, location of servers, desktops, network nodes, and other devices, plus the revision levels of firmware, operating systems, and applications. With knowledge of available vulnerabilities and the compromise of internal authentication and authorization systems, it proceeded to access and then exfiltrate emails and other sensitive data.

Attackers effectively used many sophisticated techniques to avoid detection, including focusing their intrusions on US-based tech infrastructure and using resource names consistent with the targets’ naming conventions. The malicious code consisted of a few dozen lines buried in a product with over 50,000 lines of code. Attackers took over local internet domains from which to launch their attacks.

Innovative, malicious shell code was able to act as a legitimate web API embedded in the Orion product, of which the typical user is an IT staffer with high privileges and visibility of the target network. This shell was compiled in-memory on the fly (an example of “living off the land” malware), never taking residence in storage as a file that could be scanned, thereby avoided many legacy cybersecurity detection techniques. From this vantage, the attackers could deploy malicious but legitimate-seeming sub-apps for reconnaissance, lateral movement within the network and to external networks being managed by the product, and exfiltration of emails and other sensitive data.

Current evidence suggests that the theft of sensitive business and government data, including knowledge of IT infrastructure and operations, was the main goal of the attack, with tactics chosen to achieve stealth, establish persistence, and conduct data theft over a long period. (Despite some public speculation by US legislators, no evidence has yet emerged that the compromise had enabled other mischief, e.g., potential attacks on US critical infrastructure.)

While the success of this operation is a big blow to the affected businesses and government agencies, its effects could have been much worse. One of the most common malware attacks these days combines data theft with a ransomware attack that encrypts the target’s data. Had the attackers chosen this additional tactic, many victims of this APT might now be struggling to recover now-inaccessible data and resume normal operations as well as worrying about data theft.

The fact remains that, despite installing a new secure SolarWinds update, many victims will face a long challenge ahead of determining that no remaining malware has been left behind, awaiting another new activation commands to receive new malware, spread it across the internal network and to customers, and resume stealing and/or destroying data.

How does Acronis protect against such attacks?

Software providers like Acronis are certain to come under increased scrutiny as partners, customers and potential buyers seek to understand what steps their tech vendors are taking to prevent their products from becoming the first stage in a supply-chain APT. Crucial mechanisms for this purpose include: a) the implementation of a secure software development program; and b) mechanisms to defend the product and customer data from modification and other attacks. Here is how Acronis addresses those questions.

Acronis ensures the security and reliability of its products with its Secure Software Development Life Cycle (SSDLC) program, as well as deploying a dedicated security team to enforce comprehensive infrastructure, network, access, and personnel security policies. Acronis programs and tactics to this end include:

  • Training of software architects and engineers, as well as IT operations and cybersecurity staff, in security awareness and relevant standards for secure code architecture, development, and protection against tampering.
  • Use of a multi-level process to analyze and review code for vulnerabilities at every stage of development, with reviews conducted independently by internal development teams, sandbox testers, and external auditors.
  • A decomposed code development process that enables scrutiny of individual software components by random reviewers prior to commitment to the next stage of the development process and subsequent integration.
  • Secure transmission of code modules to subsequent development phases and digital signing of secured binaries prior to a final sandbox review of security and privacy features before distribution to external auditors, partners, and customers.
  • Protection of encrypted customer data against access, modification, or copying by Acronis employees.
  • Deployment of an independent security team, separate from IT operations and cybersecurity staff, to conduct internal security awareness training, audits of security infrastructure and processes, and enforcement of security policies.
  • Application of a wide range of stringent cybersecurity and physical security standards to all Acronis data centers and CPOCs around the world, including routine audits by independent third-party auditors of high reputation, external penetration testing of network security measures, internal network segmentation, and intrusion detection scanning.
  • Encryption of customer data in transit and at rest in Acronis data storage infrastructure, and stringent erasure and/or destruction of decommissioned storage media.
  • Implementation of strict confidentiality, business ethics, and code of conduct policies for Acronis employees, including background checks where appropriate, non-disclosure agreements, and principals of segregation of duties, need to know, and least privilege to protect against malicious or inadvertently dangerous acts by insiders. Strict access controls, multi-factor authentication, and ubiquitous activity logging ensure only appropriate access to sensitive systems.
  • Establishment of a bug bounty program to encourage and reward the disclosure of potential security vulnerabilities in all Acronis products.
  • The use of hardware-backed storage of private binary encryption keys to ensure that customer keys cannot be exported or leaked.

Final thoughts

The issue of supply-chain attacks is not new: Acronis has spent years developing internal secure code development processes, improving the security of our internal tech and physical infrastructure as well as our global network of data centers and CPOCs, and training our employees, partners, and customers on procedures to minimize the risk of such attacks. But the SolarWinds breach provides a useful reminder that adversaries, including both cybercriminals and hostile state-actors, continue to innovate and evolve in sophistication, guile, and persistence.

We know that they are using the same advanced tools in the development of their attacks – heuristics, machine learning, artificial intelligence, increased integration, and automation – that legitimate tech vendors and service providers use to defend ourselves and our customers. It is a battle in which attackers generally have first-mover advantage: it is easier to attack than it is to detect, contain, terminate, and recover from an attack.

Acronis will continue to be transparent with our partners and customers regarding the steps we are taking to defend them from attacks that result in downtime as well as theft, modification, and destruction of critical business data.

In addition, Acronis is committed to continually educating partners and customers on the best practices that should be employed to deter such attacks, including the evaluation of their other tech vendors for their resilience against supply-chain attacks and advanced persistent threats. For more information:

  • Keep abreast of Acronis Smart Alerts distributed through Acronis CPOCs
  • Check out our complimentary cybersecurity-oriented advisories, analysis, and white papers in the Acronis Resource Center and on the Acronis Blog
  • Take advantage of Acronis Academy training courses to attain certification in secure deployment, operation, and support of Acronis Cyber Protect and other products.