Ill winds

 

The dust is settling months after the SolarWinds attack, but we’re still feeling the shockwaves from what Microsoft president Brad Smith is calling the ‘largest and most sophisticated attack the world has ever seen’. Speaking on 60 Minutes in mid-February, he said the company reckoned that over 1 000 engineers had worked on the malicious code, the core of which comprised 4 032 lines. The company was also making use of SolarWinds tools in some parts of its network, and that some source code was stolen. Its security team said it had become aware that someone was viewing a file in a source code repository in November, and attempted to do so again in January, after which the attempts stopped. The company said the repositories included a subset of Azure components, and those of Intune and Exchange.

Microsoft joins over 17 000 or so organisations believed to have been affected, among them the US State Department, its National Institutes of Health, and Department of Homeland Security.

To recap the incident, hackers were able to penetrate the update server of Orion, a network management tool product from SolarWinds. Everyone who downloaded an update between March and June thus gave the hackers access to their systems. Four US cyber agencies in January formally accused the Russian government of orchestrating the attack, which it described as an intelligence gathering operation. But what was seized? As anyone who has had to investigate a breach will tell you, it can take a very long time to get to the bottom of the matter. And, as the Security Boulevard website says in its comprehensive opinion piece on the subject, things are not likely to stop there. Now that the Orion vulnerability has been made public, it can be used by others to get inside vulnerable networks. The piece goes on to say that by international norms, Russia did no wrong, and that this, it seems, is a normal state of affairs.

Kaspersky has now said the SolarWinds malware resembled that used by a group called ‘Turla’, which Estonian authorities say operates on behalf of Russia’s FSB security service.

Moscow has repeatedly denied the allegations, while the FSB did not respond to a request for comment from Reuters.

It’s not yet clear if any entities in South Africa were compromised, but networks in Canada, the UK, Spain and Israel, among others, were targeted.

Craig Rosewarne, managing director at Wolfpack Information Risk, says in the digital world, ‘anything and everyone can be spoofed to any degree. That’s the challenge’.

He says when his firm consulted with its clients after a breach, in almost all cases, they were not managing and tracking their logs properly, meaning the audit trail quickly went cold.

He says criminals are becoming more brazen. “If I was them, I’d definitely target developing countries, and not the US or developed European countries that have more resources to investigate cybercrime and prosecute criminals.”

Indeed, our own government’s capability to investigate cybercrime is perceived to be very poor, with little implementation, and slow response times.

Rosewarne says he’s seeing quite a few companies embarking on privacy projects before the PoPI Act deadline on July 1 this year. He’s also seeing large enterprises awaken to third party risk they may be exposed to through their relationships with SMBs, which are themselves being asked to explain how they’re managing the personal information in their businesses.

It’s important to take a risk-based approach on what are the key assets of the business, where most of its money is generated, who are its main clients, and where it has strategic interactions with suppliers.

He’s also seen an uptick in companies wanting certification in ISO270001 in some cases because they were suppliers to other, typically international companies. He sees more focus on incident management, and businesses are making sure procedures are in place, as well as having crisis management training. Ransomware is still a concern, he adds, and Wolfpack has already dealt with a few big cases this year. He says some businesses, typically large ones, are fearful of not being PoPI-compliant and have expended some effort, while others are in the ‘wait-and-see’ camp, and these kinds of attitudes mirror their attitudes to security.

“Some companies take a big chance and don’t do things properly, including PoPI, and take shortcuts everywhere because they’re trying to save money and time.

“They think, ‘we’re not a bank, so nothing’s going to happen to us’.”