SolarWinds Breach

Jarrett Kolthoff | January 22nd, 2021


The SolarWinds breach is one of the largest cyberattacks of 2020, impacting 425 of the US Fortune 500 companies, the top ten telecommunications companies, the top five US accounting firms, a large percentage of the Inc. 5000 firms, all elements of the US government, and many universities and colleges across the globe.

This “supply chain” cyberattack will likely cause significant issues for US companies and governmental agencies for quite some time.

Details of the SolarWinds Breach

A positive to take away from this event is the awareness it can bring to cybersecurity for Chief Executives. Hopefully, the realization is that simply investing and installing toolsets will not solely protect their infrastructure from attack. It is crucial for Chief Executives to be made aware of the impact and potential risk of third-party applications and this attack in general.

The collective cybersecurity community knows breaches can happen to any organization at any time and sharing the details of the attack with the community is vital for the ability to combat such threats moving forward.

The US is likely to impose diplomatic and economic measures on whoever caused the incident. Although it has been reported as the worst cyberattack in history, there will be more sophisticated threat actors and attacks targeting prominent organizations and countries in the future.  The only constant in the cyber battlefront and threat landscape is that it is in a constant state of change.

Even though this initial incident has subsided from the news cycle, we will likely see more fall-out in the near future and there will always be long-term effects from the SolarWinds breach. The way in which organizations think about security will be approached with much more attentiveness and focus on continuous monitoring and the ability to deploy rapid response teams. This is an immediate wake-up call to leaders in all industries. It is clear this particular incident wasn’t industry-specific. It impacted every organization that was large enough to require network monitoring tools.  SolarWinds was the tool of choice by network administrators, many of them had administrative access throughout the entire organization that could have been used by the threat actors.

Access was obtained through the malware dubbed SUNBURST. The malware was pushed through SolarWinds Orion updates for months before being detected and this allowed SUNBURST to gain administrative-level access within the environment. There is a long list of organizations affected by the malware and identifying whether or not access was escalated is crucial. Reviewing logs and determining exactly where the threat actors moved laterally is required to get systems running back to normal and malware-free.

Keep in mind, that technology alone will not solve this issue. The security analysts monitoring 24/7 are the key component in protecting your organization. Expertise wins the battle in a cyberattack where any company is a target. Tools alone are not always going to stop threats. In fact, in the SolarWinds breach, it was cybersecurity personnel who acted upon the alerts and detected the incident. Experts were able to identify and counter the attack. Companies need to be extra mindful of their security posture. If you aren’t using any proactive cybersecurity services, now is the time to consider them to be secure for years to come.

In preparation for these types of events, SpearTip recommends having a dedicated cyber insurance policy with sufficient limits and the right coverage types. It is critical to work with a cyber insurance broker that fully understands cyber coverage. On average, a company will experience an outage/business disruption, even if the ransom is paid. This outage will be minimized by how quickly the collective team of forensic firms, insurance carriers, and legal teams are engaged.

To help IT and security teams who utilize SolarWinds’ Orion software, SpearTip has released a free tool, SunScreen SPF 10. It was created and developed to root out compromised versions and also enable the detection of potentially malicious activity. ShadowSpear® Neutralize actively prevents malicious programs from injecting into memory, and our Security Operations Center (SOC) works 24/7 to respond to such events.

Fortunately, ShadowSpear® stopped and continues to alert on malicious activity related to SUNBURST malware in several of our client’s environments. The world is bound to feel the implications of the SolarWinds breach for a while, so if there are any questions or concerns you may have about this incident, please contact our SOC at 833.997.7327.


Connect With Us

Featured Articles

Cuttlefish Malware
Cuttlefish Malware: A New Threat to Routers and Traffic Monitoring
24 May 2024
Security Awareness Training
Security Awareness Training Crucial Role
22 May 2024
Phishing Campaign Assessments
Phishing Campaign Assessments Can Be Effective For Companies
20 May 2024
Incident Response Planning
Incident Response Planning: Why It's Important
17 May 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.