Supply chain attack case: SolarWinds

The SolarWinds supply chain attack is an example of the ability to use a successful incursion into a supply chain node to seed vulnerabilities well beyond the compromised system.

The company describes its Orion software as a “powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration for on-premises, hybrid, and software as a service (SaaS) environments.”

In 2020, customers using that software were notified of an update offering the usual fare of bug fixes and feature updates. The update had been compromised by an APT believed to be affiliated with the Russian intelligence service (the SVR), and infected with malware.

In later interviews, the CEO estimated that 18,000 customers downloaded the adulterated update.7 This was just a trick to get the customers to download a bad update from a website with some deceptive variation on the company name that might escape cursory inspection by a harried office worker. The APT had compromised SolarWinds’ systems and inserted the malware in an official update package without being noticed.

In an attack staged over the course of seven months, the hackers obtained access to the SolarWinds network, tested that access to ensure they could execute their hack, injected malicious code into the software, and caused Orion customers to start receiving updates containing the malicious software.

Notable entities such as Microsoft, the U.S. Postal Service, the U.S. Department of Energy, and the U.S. Department of Homeland Security received and were impacted by the malicious code. Because of the privileges the software needed to perform its “infrastructure monitoring and management” duties, the hackers received backdoor access to not only the data and networks of the companies using Orion but many of their customers too.

It’s estimated that up to 30,000 entities were potentially vulnerable, though the actual exploitation of the vulnerability is believed to be significantly lower. According to security agency FireEye, even after being infected with the compromised update, “these compromises are not self-propagating; each of the attacks requires meticulous planning and manual interaction."8

As reinforcement of the accusation against Russia, the Biden administration tied its April 2021 package of sanctions against Russia, at least in part, to the SolarWinds supply chain attack.

Besides the immense reputational damage done to SolarWinds, the Securities and Exchange Commission (SEC) filed a lawsuit in October 2023 charging SolarWinds and their CISO with defrauding investors and failing to maintain adequate internal controls. Between the disclosure of the hack in 2020 and the filing of the SEC action in 2023, their stock fell by nearly 64% and the SEC action seeks to bar their CISO from being an officer or director of a public corporation for the rest of his life.

Not every hack is a hack

Along with real stories of hacks, the internet is littered with sensationalized stories of hacks.

For example, in 2021, many news outlets reported that the city of Oldsmar, Florida, had been hacked to poison its water system, which served approximately 15,000 people.9 In this case, systems that add lye to the water supply to reduce acidity in the water were altered to increase the amount by approximately 11,000 percent. The alteration was caught in time and reversed by an alert employee who prevented it from causing actual harm.

No further details were released on who might be responsible or how they gained access to Oldsmar’s systems as the FBI and the Pinellas County Sheriff conducted their investigation. And that was the story until 2023. During a cybersecurity panel at a meeting of the American Society for Public Administration, the former city manager admitted that the FBI’s conclusion, after a four-month investigation, was that it wasn’t a hack. It was an employee error.10

While some of the hacks discussed in this book will be old enough at the time of writing to have been thoroughly covered and vetted, some more recent stories may appear simply because they provide the best illustration of a concept in the opinion of the authors. These facts have been vetted as thoroughly as possible before publication.