We Hate to Say “We Told You So,” But…

The SolarWinds supply chain cyber attack hit us in the midst of a global pandemic. The magnitude of this cyber attack, as the New York Times puts it, “is hard to overstate.” 

We’ve been writing for years about Western democracies being under cyber attack, but feedback said that we were exaggerating the risk. If anything, we underestimated the risk to Government and corporate IT infrastructure from hacks by state sponsored hackers in Russia, North Korea, and Iran.

On December 8, 2020, cyber security firm FireEye reported that Government, technology, and telecom organizations across North America, Europe, Asia, and the Middle East had fallen victim to “a global campaign” employing “top-tier operations tradecraft and resources.” Its clients, which include the United States government, have been placed at risk. 

A few days later, on December 16, 2020, SolarWinds issued a cyber attack advisory. SolarWinds provides software to tens of thousands of government and corporate customers. The hack inserted a vulnerability in their SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. This vulnerability could allow an attacker to compromise the server running Orion. According to SolarWinds, this attack was likely the “result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state….” 

According to Reuters, suspected Russian hackers capitalized on Microsoft’s wide use of SolarWinds to infiltrate the software giant, and then used Microsoft’s own products to further their attacks on other victims.

The malware was on SolarWinds software from March to June. During this time, more than 425 Fortune 500 companies downloaded the corrupted SolarWinds update. As many as 18,000 of its 300,000 customers have downloaded it, including most federal government unclassified networks.

A bulletin released December 17 from DHS’ Cybersecurity and Infrastructure Security Agency (CISA), assesses a cascading threat to federal, state, and local networks.

“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the bulletin stated.

What does the SolarWinds cyber attack mean?

Malicious actors possibly have had access to, and control of, vital networks for the better part of 2020. Hackers have likely gone beyond their entry point and are employing techniques to evade detection and obscure their activity, which is what experts call “persistent access” and “covert presence.” 

At VirtaMove, we’ve been blogging about cyber attack risk for years. We’ve said that more spending on security software isn’t the answer when it comes to closing exposures on compromised infrastructure. In fact, as the latest breach illustrates, security software can itself become the vector for an attack. 

To quote:

“Collectively, we need to invest in, modernize, and protect our software infrastructures – not just once like in the case of Y2K, but continuously.”

Cyber Attacks Require a “Do Over”

On Dec. 13, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering federal civilian agencies to disconnect from SolarWinds software. The Canadian Centre for Cyber Security also issued an alert. However, as we’ve put it in previous blogs, the horse has already left the barn. The damage is done and computer networks are compromised.

What’s required is, as the New York Times puts it, a “do over.” A do over is “mandatory” and “entire new networks need to be built — and isolated from compromised networks.” The remediation effort will be “staggering.”

It’s time to close the barn door. It’s time to modernize IT infrastructure, which means moving applications to new, secure servers.

  1. If you’re running applications on old Windows systems, upgrade your hardware and operating systems. You’ll need to spend some money to do this, but these are modest investments in comparison to spending more money on more cyber security tools.
  2. Buy modern server hardware to close known hardware security exposures.
  3. Move your software application stacks from old operating systems to modern, more secure WS2012, WS2016 and WS2019 and modern Linux systems to eliminate exposures.
  4. Use an automated migration tool to move your applications to a new server and OS.

VirtaMove offers an automated migration tool to isolate all application stack dependencies from the underlying OS. You then move the application to the new server and OS infrastructure (upgrading database components on the fly if required). Intelligent automation then places the software stack in the right place on the new OS. Automated migration saves weeks of labor and around 70% of the cost involved in manual migration.

Doing nothing was never an option and is even less of an option today, in the age of malware where victims include US government departments. You need to act and close security exposures on old operating systems. As the Canadian Centre for Cyber Security puts it, “Organizations failing to apply security updates in a timely manner…are exposing themselves to compromises such as information theft and ransomware.” Organizations that maintain the do-nothing strategy have been and will continue to be disrupted.

If you’d like to learn about how to put a modernization process in place, contact us today at sales@virtamove.com. We’re always pleased to share what we know.