The recent SolarWinds hack is a fascinating story. The attack had a serious impact on the Connected Health Cybersecurity world, having targeted the US government and affected approximately 250 federal agencies and businesses.
In practice, what happened was the software from a vendor (SolarWinds) was breached and modified to do things it was not intended to do. This was done by a group of hackers with the purpose of creating the capabilities to go and attack any customer of the SolarWinds company. What makes this attack so interesting is that this breach enabled a group of hackers to monitor a group of networks within governments and enterprises throughout the globe.
Quick facts about the SolarWinds attack
According to Microsoft, hackers compromised SolarWinds’ Orion monitoring and management software by letting them “impersonate any of the organization’s existing users and accounts, including highly privileged accounts.” Additionally, the hackers were able to “view source code in a number of source code repositories,” but the hacked account granting the access didn’t have permission to modify any code or systems. The New York Times is reporting that Russia exploited layers of the supply chain to access the agencies’ systems and that early warning sensors that Cyber Command and the NSA placed inside foreign networks to detect potential attacks appear to have failed. Microsoft said it discovered its systems were infiltrated “beyond just the presence of malicious SolarWinds code.” but that it found “no evidence of access to production services or customer data,” and “no indications that our systems were used to attack others.”
Companies affected by the SolarWinds Cyberattack
The massive SolarWinds attack affected a large variety of companies, including: Cisco Systems Inc., Intel Corp, Nvidia Corp, Deloitte LLP, VMware Inc. and Belkin International Inc. The attackers also accessed the California Department of State Hospitals and Kent State University.
The challenge of stopping breaches in healthcare
Fact: 24% of data breaches occur in healthcare. Protecting Healthcare information is a tough challenge. SolarWinds was well aware of the challenges they faced before they were hacked. But don’t take our word for it: have a look at a list of challenges that SolarWinds discussed in a blog they published themselves.
Top 5 IT Challenges of Securing Healthcare according to SolarWinds pre-hack
1. Insufficient focus on insider threats
2. Human errors (Too Many)
3. Poor device management
4. Insignificant privileged account management
5. A dearth of security culture
The SolarWinds breach created serious security issues for government agencies, healthcare organizations and major companies in other industry verticals. Because SolarWinds produces a variety of popular IT infrastructure monitoring solutions, this breach compromised multiple solutions. These monitoring solutions were used by approximately 18,000 companies, including FireEye – where compromised SolarWinds software lead to the exfiltration of FireEye’s red team tools.
Were you already using or running SolarWinds software within your environment? If you did, here are some recommended remediation steps to take:
Recommended remediation steps healthcare companies should take
1. Assume all accounts used by SolarWinds for monitoring are now compromised
2. Look for SolarWinds monitoring account usage
3. Look for C&C traffic associated with the attack
4. Search for SolarWinds IOCs and other malware or potential indicators of compromise
5. Take a snapshot or some other form of backup that can be used for later forensics if needed.
6. Eliminate the compromised software
7. Network segmentation
Key lesson: you need the right combination of tech to be protected
There are a number of technologies that are being employed in the space that should be baseline minimum today: one of which is protecting software against tampering, meaning being able to ensure that software that’s being protected and released by companies is safe and cannot be tampered with by third parties and hackers.
The second is, technologies that enable software signing and are able to validate software that someone has installed. In this case, having the proper combination of assigned software and anti-tamper technologies would have prevented the SolarWinds issue. Just think about it: if the proper software had been signed, then it would have been possible for companies around the world to validate that the software was indeed coming from the SolarWinds company, and also to see that it was employing anti-tamper technologies, which ensures that it cannot be modified. This combination of tech could ensure that it would not have been tampered with and that there is no software that has been added to the build. It also ensures that this is from who you think it’s from, and not a rogue version from someone else pretending to be from SolarWinds. In the end, these steps will be critical to maintaining integrity within your systems.
Moving forward, it will be critical to employ technologies like that. We must also practice full transparency of what is included in your virtual supply chain, because as you can see, what is included in your perspective supply chain is very important to your protection. We can’t go back in time and stop the SolarWinds attacks, but we can learn some important lessons from it and be better prepared for the next one.
Click here to get in touch with Irdeto’s Connected Health team to learn more!