The group behind a global cyber-espionage campaign that compromised thousands of US software maker’s SolarWinds customers were likely seeking out specific targets, Sudhakar Ramakrishna, the CEO of the company, said on Monday’s Center for Strategic and International Studies (CSIS) webinar.
Ramakrishna, who took over the company weeks after the attack, will head to Washington this week to take part in a Senate intelligence panel over a hack in December that allowed threat actors to exploit the company’s software and continuously compromised up to 18,000 of its customers for more than a year.
Patience and persistence
US officials suspect that Russia was likely behind the attack, deemed one of the largest in recent memory. Ramakrishna told the webinar’s online audience that the perpetrators’ intent was likely not to cause as much damage as possible.
“In this particular case, given the tools, techniques, and processes that they have been using and the attribution to a nation-state, I feel that they were after a few prized assets. In some cases, simply learning about those environments, and in some cases, trying to get something out of those environments from an intelligence standpoint,” he said.
A lot of victims very early on in this conversation are hesitant to come out about exfiltration of data or attacks or information,
Sudhakar Ramakrishna
Ramakrishna explained that the nature of the attack points to the people behind it being extremely patient and employing highly sophisticated tools. The whole strategy of staying dormant over an extended period of time points to careful premeditation.
For example, the company indicated that the attackers trained on older versions of software code, trying not to raise any alarms within the software provider’s systems and avoid detection. Such behavior requires an understanding of underlying procedures the developer community employs to combat threat actors. A ‘manual effort’ by the attackers to understand the victim.
“The high point here is that there wasn’t one single technique used, and it was a long-drawn-out process with a very deliberate focus on cleaning up after themselves at every step of the way. So that requires more manual focus and more deliberation and understanding of the environments,” he explained.
The CEO of Solwarinds pointed out that the prolonged nature of the attack and the suspected depth of resources behind it prevented the company’s security teams from detecting the threat and creating preventive countermeasures against the danger.
“When you’re hiding in plain sight, where the traditional tools that you deploy in an environment cannot identify them easily and simply, or even with a lot of sophistication, then that becomes much more difficult to identify,” Ramakrishna said.
“If you were to run that with lower privileges, even if an attacker found a way to gain control, you won’t be able to do as much damage because you are a regular user, and you’re not an administrator of that network,” he said.
Least privileged access
Sharing what the company has learned from the attack, Ramakrishna pointed to better integration of the communities developing and using the software. For example, creating an environment of least privileged access.
He explained that one of the key reasons why threat actors targeted the Orion platform was that gaining access to it subsequently allows them to gain administrative privileges to Windows servers.
Ramakrishna said the company was focused on developing a ‘secure by design’ approach with the increased testing capability and focus on reaching out to customers that use their product. One way to increase resilience to future cyberattacks would be to provide additional security components such as hardening and configuration guides.
“It is our obligation to work with the ecosystem where the customers do not have to face the burden of having to do all of those. And we, as vendors, are collaborating alongside the government to provide more protected and protective environments for our customers,” the CEO of the company explained.
Costly silence
Ramakrishna pointed out that one of the less software-focused matters that make the clean-up process more difficult is that some victims of the attack are reluctant to go forward and admit that their systems were penetrated.
“A lot of victims very early on in this conversation are hesitant to come out about exfiltration of data or attacks or information. And that is, that could be because of liability concerns and other potential punitive concerns,” he said during CSIS’s event.
According to Ramakrishna, the government could intervene to prevent such fears by providing regulation that allows companies to go forward without fearing repercussions. Delays in reporting breaches, he said, stifles the ability and speed at which governments and developers can respond to the attacks.
“What we need to provide is the liberty and liberation needed to come out and speak about it. Because the more of us in the community that can create essentially the notion of a community vigil, so to speak, the more protected we are going to feel,” he said.
