In December of last year, it was revealed that the U.S. tech company SolarWinds had been the target of a cyberattack. The attack had far-reaching consequences for international users of the company's software. Prof. Dr. Thorsten Holz spoke with the Science Media Center about the incident. The following interview - together with other experts - was first published on the Science Media Center's website. The SMC is an independent and non-profit science editorial office that supports journalists in reporting on science-related topics.
Statements by Thorsten Holz
What makes the Solarwinds hack so special and dangerous? How should the danger of such hacks be assessed in general, and which attacks should be feared?
"Recently, a significant attack on IT systems was discovered in which cyber attackers gained access to the source code of the IT monitoring software Orion from the company SolarWinds and inserted insidious changes into this source code. Particularly problematic is that the inserted malware was automatically distributed to SolarWinds customers in the course of regular software updates. After this update, customers can be monitored with the software's changes made to their system. The attackers could also potentially gain control over the systems managed by the software. Such a level of control also gives attackers opportunities for more extensive attacks through misuse of the captured information.
It is now known that thousands of customers have unknowingly installed the tampered update. These include numerous U.S. federal agencies and companies around the world, as well as 15 German ministries or federal offices that use or have used products from the U.S. company, at least in parts. Other companies also reported wider attacks based on stolen information.
It is important to note that this attack was a well-planned and executed one. For example, the subtle changes at the source code level were executed for months, possibly involving inside perpetrators. The manipulated code was tested by SolarWinds, but the manipulations were not noticed. Thus, the software, including the damage, was eventually digitally signed, shared via the SolarWinds platform, and distributed. After infection, the code was initially idle for some time before confidential information, such as credentials, was exfiltrated in an obfuscated manner via an unsuspicious protocol.
An important point here is that SolarWinds paid insufficient attention to IT security. For example, warnings of potential problems were ignored and only weak passwords were used on security-critical systems. This illustrates the high importance of IT security in our complex world: attackers look for the weakest link in the chain and attack it. In particular, such attacks on the software supply chain ('software supply chain attack') lead to far-reaching consequences, as can be seen from the high number of potential victims."
What can be done against such attacks and for the improvement of IT security on different levels? How can software in critical areas be better checked?
"Due to the enormous complexity of modern IT systems and the comparatively low cost of carrying out such attacks, the threat vector of attacks on the software supply chain is expected to gain in importance in the coming years. Traditional security mechanisms, such as digital signatures of code, mechanisms for the secure provision of updates, or mechanisms for transport security such as TLS/SSL (encryption protocols; editor's note) have been developed to ward off malware from 'outside'. Unfortunately, such methods have little impact on these types of attacks, as the SolarWinds hack impressively demonstrated. Deeper analysis techniques, novel technologies, and more refined policies for detecting potentially malicious changes in code, as well as more thorough testing, are needed to prevent or at least detect such attacks early in the future.
Another factor plays an important role: for a long time, we have followed an approach of security by adding components to IT security. We install antivirus programs and other security tools on endpoints, use intrusion detection systems, IT monitoring software on the network, and other tools to make our overall system 'safer.' While each of these tools can cover individual threat vectors, vulnerabilities in these tools lead to new potential attack vectors. In the past, such vulnerabilities could be discovered frequently.
A return to reducing the size and complexity of our systems - especially in critical areas - makes sense and should be more in focus."
What is the current status in Germany? How effective is IT security in key areas and critical infrastructures (hospitals, energy grid, public authorities), and which areas are mainly at risk?
"IT security has become much more important in recent years. Awareness has increased, and IT security plays a much greater role than it did a few years ago. However, the complexity of attacks has also increased significantly and the nature of the threat has changed drastically during the last few years. Many of today's cyber attacks are carried out by powerful attackers, especially state organizations. State adversaries are of particular concern because they operate over the long term and have significant technical capabilities and resources. Almost weekly, incidents are reported that reveal that today's security solutions are highly inadequate against such attackers. Attacks on critical infrastructures are of particular importance - such systems are unfortunately often inadequately secured in practice. Successful attacks on hospitals by ransomware and sophisticated attacks on various government agencies illustrate this. So in the future, more attacks on such systems are to be feared, and we need to secure such systems more effectively to minimize potential damage."
What should journalists keep in mind when reporting on this topic? How sure can one be, for example, about the attribution of the attacks? At what point can assessments by independent experts provide added value?
"Precise attribution of attacks on IT systems is a difficult problem, especially because attackers can disguise or even falsify their tracks relatively easily. In the case of SolarWinds, many clues point to an origin in Russia, and various agencies independently came to this assessment. Unfortunately, there is often little information publicly available about such attacks, making it difficult for external experts to investigate. Nevertheless, an independent opinion can often provide added value, especially to obtain an additional assessment of the extent and potential implications of an attack. Journalists should therefore try to obtain independent assessment and take it into account when reporting. Often, details of an attack and the damage it has caused only become known after a few days or weeks, and a revision of the assessment may then also be necessary."
General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.