For a few weeks in December the SolarWinds software breach was big news. Like so many events these days, however, it was soon crowded out of the headlines- which I suspect is just fine with security experts, who prefer to combat these threats outside the glare of attention.
The initial target of the SolarWinds attack appears to be government systems, which is disturbing in itself. Even more troubling is the possibility of “sleeper cells” having been embedded in thousands of corporate systems (including banks and credit unions- a key SolarWinds vertical), lying in wait for future exploitation. Worst of all, the hackers’ approach- which was ingenious, in a sinister way- serves as an “aha moment” for cybercriminals worldwide, opening up a scary new front for the good guys to defend.
On that upbeat note, let’s consider some expert insights that have emerged since the incident receded from the front page.
Words from the Front
As Jeff Olejnik pointed out on our recent BIGCast, SolarWinds’ effect on financial institutions could range from “little to no impact, to quite devastating.” According to the head of Wipfli’s CyberTech practice, not only must credit unions and banks confirm whether they were running SolarWinds’ Orion platform, but they must determine the same for vendors throughout their supply chain. If they were, a forensic investigation of logs (for new users, .dll changes, etc.) is in order, assessing system activity dating back to March 2020- the date of the first incursion, which went undetected for eight months. For the thousands of FIs that likely find themselves in this situation, an ongoing compromise assessment will also be essential.
On BIG’s recent Digital Town Hall, noted cyber expert Jim Stickley (Stickley on Security, Mahalo Banking) estimated that between 18,000 and 33,000 SolarWinds client companies were infected via this breach. As Olejnik points out, that number could quickly escalate if one of those firms had access to partner systems in the period before the malware was removed.
As any fraud professional knows, successful scams involve the exploitation of trust. This is where the SolarWinds incident opened a disturbing new frontier- intruders managed to compromise the defenses of a firm recognized as a leader in system monitoring software. In other words, when SolarWinds (or more specifically its Orion platform) issues an update, clients know it’s important to install it. And since by definition monitoring software requires access across a variety of systems, it’s easy to grasp how widely such malware can spread.
The consensus belief is that a government-sponsored entity is behind this hack (although Stickley is not 100% convinced, as you’ll hear in the above link), which would be consistent with its initial focus on intelligence gathering rather than monetary gain. Even if that remains the primary objective, it’s hardly cause for comfort among banks and credit unions. State actors would relish the ability to erode confidence in the US financial system- which might involve a takedown of system availability or corruption of transaction balances. Until we can confirm any and all malware has been identified and eradicated, sadly any and all of these possibilities remain on the table.
Even if it’s no longer headline news the ongoing SolarWinds situation should remain on every FI security leader’s radar- and we at BIG will continue to report on developments.