One of the most sophisticated, worrying, and underreported hacks in history is making news again. In 2020, it was discovered that the observability and IT management platform SolarWinds had been hacked by Russian entities. This wasn’t the standard hack though that companies like MGM and Equifax have dealt with in recent years, here data has been mined and either held hostage for financial gains or released to the dark web.1,2 It may have been more sinister.
SolarWinds was not the first to discover that they had been hacked. In late 2020, cybersecurity firm Mandiant had noticed that they, themselves, had been breached.3 Through weeks of tireless investigation, they discovered that the source of the issue was a server running SolarWinds software. What the Mandiant team had found was a backdoor into SolarWinds’ Orion software that was present in a recent update download from SolarWinds’ website. With this finding, Mandiant had discovered what is known as a supply chain attack. A supply chain attack is a security breach stemming from an initial intrusion into a supplier that opens vulnerabilities into their clients’ systems. In this case, that list included up to 33,000 SolarWinds Orion customers, and allowed access to emails and employee authentication systems. This is why supply chain attacks are so dangerous. By attacking the root of a tree, the intrusion can poison all branches. Adding to the fear-inducing nature of this discovery was that the initial breach had occurred, unnoticed, nearly two years before Mandiant’s findings. The malicious code had sat in SolarWinds build systems for that entire time, patiently expanding its reach into more and more client systems. Ultimately, the hackers dove deeply into only 100 or so of SolarWinds’ clients and largely used their access for espionage, but the damage could have been far worse.
As recently as October 31, 2023, this case has been brought back up in the public eye, with US regulators filing a lawsuit against SolarWinds for fraud within their reporting practices on security risks.4 The US Government is especially motivated for action because many government agencies used SolarWinds software, and the DOJ had alerted SolarWinds to odd intrusion behavior six months prior to Mandiant’s discovery.
Choosing the right technology partner is crucial for a myriad of reasons. In today’s climate though, electing a trustworthy supplier when it comes to cybersecurity is one of the most important. Mandiant is one of the foremost authorities on cybersecurity in the world, and they were affected because of alleged negligence from one of their suppliers. Mandiant and the DOJ are not unique in this. As these types of attacks grow in popularity (up 700% in the last three years!), relying on internal cybersecurity practices alone will not be enough to protect any organization from cyber threats. Procurement departments in every company must place the security practices and reputation of each of their suppliers at the highest level of importance within the vendor-selection process. Our advice to you: ask more of your technology providers by ensuring that each one of them complies with all your own organization’s internal security controls and that they are immediately transparent in any identified risks.
This is why, at Green Cabbage, we conduct business through our industry-leading, SOC1, SOC2, SOC3, and GDPR-compliant platform, OneWorkspace. Rather than sending contracts and invoices via email, we leverage the security blanket of data encryption both in transit and at rest to ensure our clients’ data is not at risk of being compromised. We continually treat all data as if it were our deepest, darkest secrets, because to technology suppliers, pricing data is that protected. This is why suppliers put heavy confidentiality language in each agreement, promising stiff penalties to anyone who violates that trust, whether intentional or not. Because of our secure platform and status as a trusted advisor, we operate cleanly within contract confidentiality language. In a world where digital threats are present everywhere, working with companies like Green Cabbage can help you breathe easier.
References
Written by: Head of Product Development at Green Cabbage, Bennett Falck
Comments