SolarWinds and Supply Chain Attacks: what do you need to know? Does this affect your business?
SolarWinds produces a monitoring and managing solution called Orion which used by a lot of IT companies and departments. The Solar Winds software was hacked. Victims of the hack include Microsoft, various U.S. federal and departments, and security firm FireEye. It’s estimated over 18,000 organizations in the states were affected. I haven’t seen any figures for Canada but SolarWinds has a presence in Ottawa.
Supply Chain Attack
The reason why the SolarWinds hack was so effective is that it hid in trusted software. That is a classic supply chain attack. Trusted software is infiltrated. An earlier example is CCleaner hack in 2017. CCleaner is used by both companies and consumers and the hack affected tens of thousands.
What did the hackers get?
It will take months for some organizations to figure that out. Microsoft admitted that hackers got access to source of Windows and some other software. The U.S. Department of Justice reported that hackers got control of their Office 365.
In some cases the hackers got access to third parties who never had any SolarWinds software installed on their networks, they dealt with IT companies who use it. Make IT Work Computer Solutions does not use any SolarWinds products to support clients.
Who were the hackers?
The hack has been attributed to the Russian group CozyBear. The main target seems to have been the U.S. government but as with so many of these hacks there was a lot of collateral damage to businesses. When Russian hackers went after Ukrainian software they brought down the Maersk shipping conglomerate which affected thousands of small businesses reliant on their shipping.
How does this affect your business?
First, your small business could end up collateral damage from another company that was hacked via the SolarWinds software. Second, the long term implications of this hack are unknown and/or unpublicized. The first point is the most important. I still run into business owners who are convinced because of the small size of their business they don’t have to worry about hackers or keeping up to date. They are wrong.