What is happening with SolarWinds and Sunburst pt. 1
The SolarWinds hack is bad, but not as bad as war, and probably more a result of total negligence than superior adversary capabilities.
This essay will be unlike other essays because I am explaining a currently and rapidly unfolding event: the SolarWinds hack. I have waited until this week to post, to allow some dust to settle, to better understand what is going on. There are plenty of sources for “hot takes,” and the OSIRIS Codex is explicitly not one of them. Nonetheless, the SolarWinds hack—or Sunburst—is too big to address adequately in a single installment, so this is the first of at least two (and perhaps more) essays in the coming weeks. Merry Christmas!
Because there is so much information to cover, these essays will actually be short explanations, rather than fully formed essays. You can look at the header of each section to know the basic point of the section. I refuse to call this an “explainer” because many media organizations (I’m looking at you Vox) use the title “explainer” to present opinion as if the opinion is a self-evident fact. I will do my best to distinguish between objective facts and my explanations, which inherently represent a debatable argument.
You can check out OSIRIS Brief 0.21.0 for a summary of the facts as we know them.
SolarWinds is a Business Intelligence Company
The SolarWinds hack is a big problem because SolarWinds’ products are what is commonly called Business Intelligence (BI). BI can be outward or inward-facing, and helps companies operate and compete better. Most people probably think of outward-facing BI, because “intelligence” in most cases involves learning something about the market, or your competitors. Inward-facing BI is probably more important and is increasingly popular. BI products are a part of the Office 365 professional suite, for example, making them as accessible to most companies as document processing or email.
Inward-facing BI collects information about a company or organization to help them be more efficient at their jobs. The stale joke about “meetings that could have been emails” is an example of inefficiency sapping a company’s competitive advantage. I don’t know if BI can identify which meetings could be emails, but BI can do a lot. BI software collects massive quantities of data and processes those data using “data analytics” including statistics, machine learning, and artificial intelligence (AI) to find problems people in the organization might not even be aware of. BI is a practical application of Big Data.
BI is a different kind of problem than a breach the NSA or CIA would be a problem. Because so many US government organizations and Fortune 500 companies use SolarWinds to track their own internal processes, SolarWinds’ data could help an adversary better understand economic and government processes at an extremely granular level. As I have explained elsewhere, information granularity allows adversaries to develop and execute exquisite strategies that would be impossible without granular information. Knowing how the Treasury Department or Ford runs their day to day operations is not the same as having access to the plans for the invasion of Midway Island, but it might be like knowing who gets along and who doesn’t in the government, which could be more valuable in the long run.
The SolarWinds Hack was Malware Written into Code
SolarWinds is a legitimate company, but starting in April, their programs were distributing malware. Malware is any kind of program that does something you don’t want to be done to your computer. The media and general public often call all malware viruses, but not all malware are viruses. The SolarWinds malware was a trojan, which—like the Trojan Horse of yore—pretends to be something it was not to access privileged information illicitly. Various companies use different names for the SolarWinds trojan, but I will call it Sunburst, which is the name FireEye assigned.1
Sunburst is a dangerous trojan because it operates inside of legitimate programs, that people deliberately installed onto their computers. If you have ever had a trojan on your system, it was probably because you installed something you downloaded either from a sketchy site, or you didn’t realize which program you were really installing. While it is possible to find real-but-illegal free copies of software online, it is also easy to accidentally install “Winddows 11,” which is malware.2 Sunburst was actually part of the program that companies and governments paid for, and came through legitimate download processes. There was no reason for the victims to think they were compromising their own system.
Sunburst Probably Got Injected Through Plain-Old Negligence
A lot of people have made hay about how sophisticated the SolarWinds trojan is, for good reason, but it is possible the attackers were able to inject the malicious code because of negligence. I stipulate here that, so far, we have no public information identifying how Sunburst arrived in SolarWinds’ code.The negligence I and others allege may be a crime, and such information may not be forthcoming as it would impede future prosecution.Furthermore, those accused of any crime deserve the presumption of innocence in legal proceedings, and nothing I am about to allege should be taken as a presumption of guilt by any specific party.
In September 2019, six months before the threat actor injected Sunburst, Vinoth Kumar discovered that the password to SolarWinds’ repository was “SolarWinds123”. A repository is a place to store and develop code that creates programs, and knowing the password would allow a bad actor to insert a trojan like Sunburst. Kumar was responsible, and after verifying the vulnerability, notified SolarWinds. Even if SolarWinds fixed the vulnerability and Sunburst entered their code another way, such a weakness is literally a punchline from a Mel Brooks film and is negligence of the highest order.
Sunburst itself is impressive malware, using multiple techniques to avoid detection, but we should temper our assessment of the trojan with an understanding of how the trojan alighted in the code in the first place. If you returned home and found that all your valuables had been stolen, but nothing else had even been moved, you would be impressed by the thieves’ sophistication. You might still be impressed with the thieves’ sophistication if all of your doors were unlocked, but since entering your home was so easy, you should be less impressed. Similarly, if SolarWinds was negligent in their security, the responsible APT still deserves credit as a threat for developing a dangerous trojan, but the larger problem was a basic failure of security.
Early Takeaways from this Essay
It is still too early in the process to have solid findings, but Sunburst illustrates some things we already knew. First and foremost, do not have a stupid password. If your password is “password,” or anything equally stupid, no amount of encryption or other protections can save you.
Second, your security is only as good as the weakest link in the chain. FireEye is a literal security company, and a good one at that, but someone got FireEye’s information through SolarWinds. We don’t know for sure how an adversary got into SolarWinds’ code, but that vulnerability affected FireEye.
In upcoming essays, I’ll address the following: Why we can be reasonably confident the Russians were responsible for the hack. Why we can draw conclusions about the Russians’ intents based on the targets they chose. Why this is not like having Russian bombers fly over the US undetected (sorry, Sen. Romney, but you’re wrong).
Honestly, because it is easy to remember that it associates with SolarWinds.↩
Real trojans actually don’t have to have fake-sounding names, like store-brand knock-offs. I only used this name as an illustration.↩
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at dbenson@osiriscodex.com.
To get more insightful analysis like this in your inbox at no cost please subscribe.
Share this Brief with someone who might appreciate it.
Ask a question! Raise an objection! Leave a comment!