Just how sophisticated and dangerous cyberattacks can be is illustrated by the case of the SolarWinds attack that became known in December 2020. Hackers succeeded in injecting malicious code into the Orion network monitoring software of the Texas-based IT service provider SolarWinds and gaining access to sensitive data of its users. These included government agencies around the world as well as major companies such as Microsoft and Intel. It is still unclear how much data was actually captured or manipulated by the attackers. American security authorities suspect a group of the Russian intelligence service was behind the attack. CISPA faculty professor Dr. Christian Rossow explains how the attackers carried out the attack and how one can defend oneself against such attacks.
The IT attack on the SolarWinds software Orion, which is actually used to detect errors and vulnerabilities in networks, unintentionally turned the program from guardian against to henchman for cybercriminals. What had happened? "Cyber attackers managed to inject malicious code into the established security product via a manipulated update. They thus gained control over IT systems on which the SolarWinds software for central network monitoring was installed." According to Christian Rossow, the fact that the incident created such high waves is not only due to the enormous scope of the attack - the software is used in more than 18,000 government agencies and corporations worldwide - but also because it was so sophisticated.
"Because of the central location of the software, quite a few companies and government agencies were hit at a very vulnerable point in their networks," Rossow explains. That, along with the software's widespread use, has allowed attackers to tap into highly sensitive data, he says. Even though the original security hole has long since been closed, the fundamental danger has not been eliminated. "Similar attacks can in principle be repeated - assuming the professionalism of the attackers - since updates are usually applied automatically according to the general recommendation."
The SolarWinds attack was a so-called supply chain attack, in which attackers first try to introduce malware into a software system and then distribute it to customers via updates. The software manufacturers must be made more responsible for optimizing their protective measures for the creation, testing, and distribution of updates, says Rossow. In addition, it is advisable to use software that is capable of quickly detecting anomalies and malicious behavior, he adds. "Of course, this is of no use if, as in this case, such a monitoring system itself falls victim to the attack," Rossow says.
In general, he says, software should first be checked for malicious behavior before it is executed. This is possible, for example, with a so-called malware sandbox. Similar to a biological virus laboratory, a virtual computer is "infected" with the potentially malicious software in order to observe its behavior. "The SolarWinds case suggests that you should run this check not only for potentially malicious email attachments and USB stick content, but in principle also for software updates," says Rossow.
"However, there will never be an 100 percent secure protection against cyber attacks," the researcher is convinced. "There are too many absolutely necessary functions that can be abused as a gateway, for example, the often fast-moving exchange of data, communication or the operation of an IT system." Here, he says, it is necessary to reduce the functions to an absolute minimum, to train personnel specifically and continuously in IT security, and to use complementary, sensible protective measures for service and network monitoring. The Corona crisis brings its own challenges, because the shift of many activities to the home office is accompanied by a loss of control over the trustworthiness of IT systems. "The restructuring of IT networks helps minimizing the damage that individual systems can do to an entire organization."
translated by Oliver Schedler