print   email   Share

Bad State Actors And Criminals Are Focusing On Updates After SolarWinds Hack

Cybercriminals recently attacked the IT provider SolarWinds in order to send malicious software updates to around 18,000 customers and gain backdoor access to their networks. However, the hackers were selective in which customers they targeted.

Among the customers targeted in the hack were Microsoft; the Department of Energy; the National Nuclear Security Administration, which maintains the nation's nuclear weapons stockpile; and several other U.S. governmental agencies.

Microsoft stated that it has identified other victims of the breach and has notified more than 40 customers who were targeted and "compromised through additional and sophisticated measures."

Eighty percent of these notified victim were in the U.S.; 44 percent were in the information technology sector; and 18 percent were in government.

The president of Microsoft said the hack was an "attack on the United States and its government and other critical institutions." According to The Washington Post, the U.S. suspects a Russian state-sponsored hacking group called Cozy Bear is behind the breach.

Although Reuters reported that the hackers exploited Microsoft's tool to attack other victims, Microsoft stated that its ongoing investigations "have found absolutely no indications that our systems were used to attack others." It said that it "isolated and removed" malicious SolarWinds binaries before the malware infection caused any major damage. The statement also claimed that there was no evidence the hackers accessed production services or customer data.

The full scope of the breach is not yet known. New evidence suggests the hackers used a variety of tactics to access their targets' networks, meaning they may have done more than just spy on the U.S. government. Michael Kan "Microsoft Hit by SolarWinds Breach, Says It 'Isolated and Removed' the Malware" (Dec. 18, 2020).




The SolarWinds hack highlights that criminals and state actors will continue to focus on corrupting updates.

What makes this tactic successful is that we are continually reminded to update as soon as possible often in order to patch vulnerabilities. We invite updates into our system, and they are rarely quickly discovered, if at all.

Fraudulent updates via phishing can be quite convincing. It is important to train all members of the organization to use extreme caution when downloading any update. A good procedure is that before any updates are performed, your IT department first provides the greenlight.

Train employees to be suspicious of any notification to update software contained in a popup or email. A notification to update software the employee does not use is another reg flag and should be avoided.

Finally, your opinion is important to us. Please complete the opinion survey: