Lessons from SolarWinds Breach: How IT Supply Chain Attacks Can Cause Serious Cyber Insurance Losses

This article was originally published in Insurance Day - click here to access (subscription required)

Cybersecurity company FireEye was the first to reveal how a serious threat actor had hacked their internal network via a compromised SolarWinds Orion application, closely followed by several U.S. government agencies. SolarWinds Orion IT monitoring and management software has over 300,000 customers worldwide, including 425 of the U.S. Fortune 500 businesses, and significant penetration in many U.S. government, federal, and military agencies. It is a tantalizing prize for any successful hacker, as it provides oversight and access to a corporate’s entire network.

After these announcements in mid-December 2020, cyber insurers are still trying to estimate scale of the impact. In doing this, two questions arise. Who else could have been impacted and to what extent – how big an event is this likely to be? What else can we learn from this with regards to future events?

How Big an Event Is This Likely to Be?

To understand how large an insurable loss could be, we need to understand:

• What entities have been compromised and the scale of the compromise?
• How much harm has occurred at these different entities - and the cost of the harm?
• How much insurance has been purchased and the applicability of the insurance?

First, to understand how many entities could be exposed, we need to understand the nature of the attack. This was a two-phase supply chain attack. The attackers do not start with their ultimate target organizations, the first phase casts the net wide by compromising the upstream supply chain. The initial speculative view suggests that up to 18,000 SolarWinds Orion customers may have downloaded malicious “SUNBURST” software through the company’s auto-update process.

Once key targets were compromised and identified, the true attack began, with the download of “TEARDROP”. Here the attackers worked slowly and deliberately, looking to target just a small subset to reduce the likelihood of discovery when chasing their true strategic objectives.

Analysis of decoded “pings” from TEARDROP deployments back to the Command and Control server suggests that between 100 and 280 entities were compromised. FireEye and Microsoft both looked at their client data, suggesting around fifty clients were impacted. But what harms were done at these impacted entities? Information on harm caused is even harder to come by. Without hard data, we must consider the motivation of the attacker, then we can consider the harm being done. To do this we need attribution.

Attribution of cyberattacks is always difficult and prone to error. Experts in digital forensics provisionally pointed to “APT 29 – Cozy Bear”, a Russian state-sponsored group believed to be associated with the Russian Foreign Intelligence Service SVR. APT stands for Advanced Persistent Threat, a label typically used for Nation State large cyber threat groups. 

If the threat actor is a nation-state, then likely targets are more likely to be political rather than economic. Most of these vectors do not normally lead to large insurable losses; the predominate costs would be for forensics and incident response, and these typically lead to losses in the range of millions of dollars per entity (for the size of enterprise likely to have been targeted in this event).

Finally, answering the question about the insurability of the event is more subjective. On one side, if the targets are government entities, they are unlikely to have any private insurance. Secondly, insurers might seek to exclude losses due to the supposed “Nation State” origination of the loss, though how effective this would be is yet to be tested. 

What Can We Learn From This Event?

First, it does not always take a nation-state aggressor or advanced skills to pull off a SUNBURST-style attack. Early in 2017, Reuters reported that multiple criminals were selling access to SolarWinds’ computers through underground forums. Also, Vinoth Kumar, a security researcher, posted on Twitter that he notified SolarWinds back in November 2019 stating that their download/update server was accessible using the highly guessable password of “solarwinds123”.

Given basic mistakes still being made by both companies and individuals, attack modes do not need to be sophisticated. Large scale aggregation events, involving multiple entities impacted by the same threat or vulnerability, are not merely possible but can also be carried out by threat actors lacking the skill and motivation of nation states.

Therefore, a threat actor could have had undetected backdoor access to an enterprise network for weeks, months, or years. What other attacks could have been carried out? The answer depends on the threat actors who had access – it could have been ransomware, data exfiltration, to operational damage. Network access is also frequently sold on the black market, the initial threat actor might not be the one hacking the network.

What else do we know about supply chain attacks? In-Q-Tel Labs recently published a study based on analysis of 130 known cases of supply chain attacks. Several findings stand out. IT supply chain attacks are not new; earliest cases date back to 2003. Attacks are increasing at a staggering rate, but the authors admit their data capture of these events is far from exhaustive.

Over 40 percent of observed attacks are the simplest, such as typosquatting – where a hostile package, is given a similar name to a legitimate package. More complex attacks are rarer, such as software build system attacks used in the SolarWinds Orion case. But overall, these attacks can last for a significant period of time – “dwell time”, the days a threat remains undetected within the compromised environment, averages over a month. Five reported cases had dwell times between two to four years. 

Prior to SUNBURST, we had not seen a successful large-scale supply chain attack since the 2017 NotPetya event, but there are many near misses. In 2018, backdoors were pushed onto hundreds of thousands of Asus computers, while in late 2017, 2.3 million customers downloaded a compromised update of CCleaner – a free PC system performance optimizer. With only slightly different outcomes, both events could have led to headline news and catastrophic losses to the cyber insurance industry.

It is unlikely this event will lead to catastrophic insurance losses. A relatively select number of entities were actually compromised (by TEARDROP) and the objectives of the alleged attacker in the SolarWinds Orion attack, might result in theft of non-personally identifiable information - and therefore there is limited insurance coverage. However, had this access been used to deploy ransomware or a more generic malware, insurable losses could have been catastrophic

At RMS, we model a variety of systemic cyber events most notably ransom/malware, cloud outages, data breach events and supply chain attacks. We utilize events such as this attack, and counter-factual analysis to understand, calibrate and parameterize these simulations and our modeling. By quantifying cyber risk and understanding what’s driving it, you can then begin to effectively manage it.

This article was originally published in Insurance Day - click here to access (subscription required)