Hans Rehder nervously adjusts his tie as he steps into the Hotel Adria lobby, eyes scanning for his contact. Did he want to be here? He doesn’t know, but he has a wife, four kids, and a pile of mounting debt that he can’t repay. Simon set him up with this meeting and the man offers him money. All he has to do is steal secrets from Telefunken, his employer. His first payment is 500 West German marks – easy money. Hans doesn’t know it when he first meets Simon’s contact, but he has just signed up to be a corporate spy for the Stasi. He goes on to steal from Telefunken for the next 28 years … and he’s never caught.
State-backed corporate espionage has been around since the dawn of business. By the 1950s, the time of Hans Rehder, it was already a well-honed practice. CIA, KGB, Stasi, they were all masters of their craft.
But now it’s 2021. The Cold War is over and we all like to believe that we’re not at risk of such 20th century subterfuge. But the reality is, since the first half of the 20th century traditional ‘war’ has moved increasingly into the cyber domain. Espionage is now cyber terrorism, and as we all grow increasingly reliant on the internet to do business, our companies are more at risk than ever before. A modern Hans Rehder doesn’t even have to leave his home, and can do significantly more harm.
The SolarWinds hack is a stark reminder of the world’s vulnerability to state-based cyber terrorism. But as a German company, should you care about a US company’s losses? And if so, what should you do about it?
Understanding SolarWinds – and your place in the attack
What happened with SolarWinds?
Summarising the hack
SolarWinds was a malicious and highly sophisticated digital supply chain hack that has impacted nearly 20,000 companies around the globe. While 80% are based in the US, there are many overseas – even in Germany, as we’ll discuss more below.
In 2019, cyber attackers believed to be a part of the group ‘Cozy Bear’ backed by the Russian FSB, snuck malicious code into SolarWinds’ Orion system. Dubbed ‘Sunspot’, it was used as a practice run for the main attack, and helped to inject their trojan into a major Orion update (this new malware being dubbed ‘Sunburst’).
Of course, when the seemingly normal patch went out to customers in 2020, it planted the malware in tens of thousands of systems around the globe, including major organizations such as Microsoft, FireEye and even the US Department of Energy’s National Nuclear Security Administration. Two more pieces of malware were also then utilized – Teardrop and Raindrop – which helped further compromise targets of interest with customized Cobalt Strike beacons.
Identifying the scale of the attack
At time of writing, the scale of the SolarWinds hack is still unfolding – this was a meticulously planned attack that went unnoticed for months. We may never know the true extent of the damage, and what the hackers stole or damaged.
Was this an act of cyber terrorism?
Terrorist attacks are designed to cause harm, to undermine order, sow chaos and interrupt infrastructure. This distinguishes terror from regular crime, in that the target is not to cause harm to an individual or a particular group, but to fundamentally damage the constitutional order of things.
The SolarWinds attack far eclipses the old days of Cold War corporate espionage. It was an act of modern cyber terror, not designed merely to ruin SolarWinds’ stocks or harm its staff, but to compromise tens of thousands of systems – including sensitive US government infrastructure. SolarWinds may have been the original company to be undermined, but its customers had customers, who then had customers of their own. And so the damage spread.
The rise of state-backed attacks
Cyber attacks from state-backed operatives have become increasingly distressing. 2017 was the first year we saw how truly devastating they can be – that was the year of WannaCry and Petya, then NotPetya, the self-replicating malware unleashed by Russia on Ukraine which accidentally took down the world’s biggest shipping company, Maersk (among many other companies, too). SolarWinds is just the latest event.
According to the Microsoft Digital Defence Report, state-backed attacks are on the rise and their actors are using highly sophisticated ransomware, credential harvesting and VPN exploits to infiltrate and compromise major targets. And these targets don’t have to be government agencies; NGOs, professional services, international organizations, IT firms and higher education are all the top sectors at risk, according to the report.
Read more: “Is German cyber security ready for 2021?“
SolarWinds was mainly an attack on the US – should Germans care?
As we mentioned, about 80% of the companies impacted by SolarWinds are based in the US, so are most German companies then safe?
No, and here’s why.
Firstly, this was a global event even if its victims were largely US-baseD
We know that some major German companies were affected, including Gillette Germany, Siemens and Deutsche Telekom. It’s likely that many more have also been infected, either directly or via a third party. For example, Microsoft Azure was one-such American victim with many customers in Germany. Indeed, the World Economic Forum found that Germany is the fourth-most hacked country in the world, behind the US, UK and India.
But it gets more alarming. With simple techniques such as guessing easy passwords and exploiting known cloud configuration issues with Microsoft Azure, hackers have been able to infect thousands of customers not actually linked to SolarWinds. In fact, some reports say that as many as 30% of victims were not related to the Orion update.
In 2021, the reality we have to accept is that the digital supply chain is a worldwide, interconnected web of companies and just because your organization is based in a nation far away from a hacking victim does not mean you are isolated.
Second, German’s ties to Russia may put it at further risk
Due to our close economic ties and long history with Russia, Germany is at risk of becoming collateral in any counter strike operation. Indeed, the Russian government is already warning its organizations that the US may return fire with a hack of its own.
Many companies in Germany are, therefore, either directly or indirectly linked to Russian systems – leaving them potentially exposed.
Were you impacted by SolarWinds? Here’s what you need to know (and do)
If you believe your company has been impacted by the SolarWinds hack, either as a direct customer or as collateral from someone else, you need to act now. The longer you wait, the more you expose your business to damage.
There are many changes you can make over time to improve your resilience to potential future state-sponsored attacks (which are inevitable), but you can make progress swiftly even without third-party help by following these steps:
- Identify if your systems have been exposed to the infection through any connections to SolarWinds and its customers. Ask yourself these questions:
- Who are the vendors we are working with?
- Do I work with third parties who are using SolarWinds products?
- Do my vendors’ partners use SolarWinds products?
- Do we use any of the security vendors who have been compromised in the hack?
- Diagnose if you are infected in any way. First read here, then here. Security companies FireEye and Crowdstrike also released tools to help customers investigate if they have been affected by the Russian malware. Both can be found on GitHub, FireEye’s here and Crowdstrike here. FireEye also offers a whitepaper on remediation and hardening techniques that can be used in conjunction with its auditing script.
- If you can see one or more of the IPS detections, immediately block all associated IP and domain indicators. You are likely infected.
- Revoke trust on the compromised SolarWinds certificate used in these attacks. More information here.
- Organise one-hour meetings with your cyber security team and key organizational stakeholders to discuss security posture and to review pain points and vulnerabilities.
- Look into the toolkits available dedicated to dealing with this attack, which was designated UNC2452. One is available from Microsoft, in addition to a framework from MITRE ATT&CK.
- Use an up-to-date antivirus or EDR scan to check for compromised SolarWinds libraries.
- Reduce permissions on applications and service principals, especially application (AppOnly) permissions.
How to protect yourself against future attacks
1. Get a better handle on your cyber terrorism threat landscape
Ignorance is not bliss when it comes to risk exposure. While many companies treat risk, compliance and governance (all vital in identifying terror threats) as mere boxes to tick, you can’t be protected from what you don’t understand and cannot identify.
Bring together your key technology and business leaders and agree on the methodology or security control catalogue that reflects your organizational needs. If you do not have security expertise in house, you will need to find a third party such as dig8ital to help you. Modern expertise here is critical to success.
When you understand your risk exposure and have modelled for threats, you can then state your risk appetite and narrow down to the things you must improve across the business.
Additionally, if your governance, risk and compliance people are separated into siloed teams, you need to make sure they are talking to each other and working to an aligned plan or else gaps may form between these key areas.
Bonus step: Upper management, including the board, will need to be aware of and involved in these changes – but you can’t just dump a pile of tech jargon on their laps. That’s a quick way to get ignored. Find common ground with other leaders and help them understand the importance of security compliance. Use a language that they understand, such as risk exposure and organizational impacts, and back it up with hard data.
Read more: “Do you know your cyber risk appetite?“
2. Improve your data transparency
Data is the lifeblood of your business, and cyber terrorists know this. Having a poor understanding of your information assets could leave them vulnerable to attack. An important thing to keep in mind here is that just because your organization has a poor register of its data doesn’t mean hackers do too. They may well know more about you than you do.
Ask yourself these questions to guide you towards better transparency:
- Do I have a list of all of my info security assets?
- Do I understand who is responsible for them?
- Do I understand individual network elements of those assets?
- Do I have a complete overview of past and present risks attached to those assets?
- Do I understand how valuable the info in this asset is to my organization?
- Do I have an overview of what processes they connect to?
3. Learn to manage risks
Risk management can often be seen as just a department, an arm of the company that isn’t as important as others and therefore requires far less attention. However, risk needs to be managed end to end if it is to be successful, and the modern company is exposed to a lot of risks.
End-to-end risk management involves the thorough identification, treatment and follow up of risks. They can’t just be stored in a risk register and forgotten. After all, what is the benefit of the data if it is not utilized to make strong security policies?
Bonus tip: Focus on utilizing risk management processes backed by ISO 27001/27002 for guidance on the subject.
Read more: “dig8ital’s cyber risk services“
4. Prepare to assess your third-party contacts on an ongoing basis
At this point in the process you have either already assessed your current partners or are comfortable that they do not expose you to the SolarWinds hack. Now you need to establish new processes that assess and monitor your third-parties on a regular basis.
As a part of your discussions on risk and compliance, develop also a third-party risk assessment including these steps:
- Establish what risks third parties pose to your organization.
- Develop a screening process for all new contacts to check their security health.
- Repeat your assessment of third parties on a regularly scheduled basis.
Still not sure where to start? We can help
As we mentioned, modern security expertise is an absolute must-have when it comes to fighting modern cyber threats. Security is a constantly evolving landscape and keeping up with the changes is a full-time job all of its own.
Most organizations simply don’t have this expertise in-house and that’s OK. You’re the experts in what you do, and you can turn to us for the rest – we’re the experts in what we do.
To learn more about how we might be able to help your company defend itself against the threat of cyber terrorism, contact us today for a free maturity consultation