SolarWinds, a US tech company which provides computer networking monitoring services to some of the biggest American companies and government agencies, was recently at the center of an elite hacking scandal.
At the end of 2020, it was revealed that hackers — described as an “outside nation state,” thought to be Russia — had broken into the company’s system and inserted malicious code into widely used software relied upon by thousands of customers. This malicious code was sent out to customers as early as March in the form of software updates. Clients who installed these updates unwittingly created a backdoor in their own IT systems, which could then be exploited to allow further malware to be distributed.
This is what is known as an Advanced Persistent Threat (APT), in this case a type of long-term supply chain attack that can prove devastating in its impact. In the case of SolarWinds, by compromising a single vendor who supplies services to a large number of third-parties, the attacks can gain access to all of that vendor’s customers.
The SolarWinds breach meant that potentially 18,000 customers, including federal agencies, were exposed by the attack — allowing them to be subject to an illegal, long-term presence on their network, which may have been used to mine sensitive data. Such attacks can result in intellectual property theft, exposed employee and user data, the sabotaging of crucial organizational infrastructure such as databases, and even total site takeovers.
Three stages of APT attack
There are typically three stages to APT attacks. The first involves network infiltration. This is achieved either using a type of malicious upload, such as SQL injection, or alternatively a social engineering attack, such as “spear phishing,” in which a user reveals confidential information under the misapprehension that they are giving it to a trusted party. (For example, think of the scam emails which claim to be from Amazon or Apple, asking users to confirm their username and password.)
When an attacker has managed to break into a system, they then install malware that grants them a backdoor that allows them to access the network whenever they wish for remote operations.
In the second stage, the attackers will establish their presence on a network, accumulating data that could be sold or otherwise exploited at a later stage. They may also sabotage the system in a way that will cause significant damage, such as deleting databases and disrupting network communications.
The third and final stage of an attack is the extraction phase. During this phase, the attackers will extract the data that they have gathered without being detected. Usually, they will do this by using an attack such as a Distributed Denial of Services (DDoS) attack, in which the victim is bombarded with large amounts of fake traffic, to tie up network resources and weaken site defenses. While this is going on, they will then execute the data extraction.
The need for visibility
Such coordinated and long-term attacks can prove incredibly harmful. They go far behind the scope of ordinary, opportunistic attacks that seek to break in, cause damage or extort money, and then get out again. These are long-term attacks, and the damage can be equally long-term.
Companies must work to minimize the impact of these cybersecurity attacks; identifying, and hopefully halting, them early on before they have the chance to cause lasting (or, ideally, any) harm.
Visibility, one of the most important parts of cybersecurity, is critical. In short, if targets are unable to see something, they are unable to do anything to protect against it. If you are unable to identify the weaknesses in defenses, it’s impossible to make the necessary improvements for safeguarding against them.
Protecting yourself from harm
Traffic management, access control, and other security procedures should all be employed to help protect users. Tools such as Runtime Application Self-Protection (RASP) can aid with identifying and blocking attempted exploitation on the part of hackers. Meanwhile behavioral analytics can detect attempts to compromise systems. It does this by inspecting traffic inside of a network so as to alert security personnel if unusual behavior, which could lead to malicious activity, is taking place. Data Loss Prevention (DLP) and data security systems, meanwhile, can help to stop the exfiltration of data.
These are only a few of the cybersecurity solutions that are available today to help fight such attacks. Others, like anti-DDoS solutions, can also help safeguard against similar hacker-led threats.
Because of the potential to steal information or otherwise compromise systems over the long-term, and with extremely far-reaching implications, APT attacks are some of the nastiest cyberattacks around. In the example of the SolarWinds attack, the threat was compounded by the fact that, at least on the surface, all of the company’s clients who were exposed by the attack were doing the right thing. Oftentimes, security vulnerabilities prey on those who do not install critical software updates. In this case, the attack targeted those who had been diligent enough to install the updates, not realizing they had been tainted.
Fortunately, the tools exist to help users protect against these attacks. For the good of data hygiene and cybersecurity, it’s essential that they choose the right ones to protect them.