CISA: Firewall Rules Could Have Blunted SolarWinds MalwareAgency Says Blocking Outgoing Connections From Orion Would Have Stopped Malware
Federal agencies could have prevented follow-on attacks after the SolarWinds supply chain attack by using recommended firewall configurations, but this step isn’t always feasible, the Cybersecurity and Infrastructure and Security Agency says.
That advice came in a June 3 letter written by CISA acting Director Brandon Wales. Wales was responding to questions posed by Sen. Ron Wyden, D-Ore., about the SolarWinds attack. Wyden had questioned CISA about the cybersecurity readiness of federal agencies, Reuters reported on Monday.
The senator sought to clarify why federal agencies were caught off guard by the attacks. The U.S. government believes that Russian hackers, likely working at the SVR intelligence agency, waged the espionage attack against SolarWinds, which led to follow-on attacks on nine federal agencies and 100 companies (see: Analysts Uncover More Servers Used in SolarWinds Attack).
The attackers inserted the Sunburst backdoor into a software update for SolarWinds' Orion network monitoring software. More than 18,000 organizations downloaded the malicious update, opening the door to the follow-on attacks.
'Neutralized the Malware'
Wyden questioned why federal agencies that used Orion did not have their firewalls configured to block outgoing traffic from it. Doing so would have prevented the first-stage malware from calling back to the attackers' command-and-control infrastructure. The senator pointed out that the National Institute of Standards and Technology and the National Security Agency recommend that firewalls only allow outbound traffic required for operational tasks to pass.
Wales wrote that CISA agrees with that guidance, but that "it would be impractical for CISA to direct individual agencies to adopt specific network and device configurations on a broad scale, particularly given the unique operational requirements of each agency." Experts generally advise against overly prescriptive cybersecurity rules.
Wyden wrote that SolarWinds' CEO told his office in a recent briefing that there was no need for Orion servers to reach unknown servers on the internet, although Orion did have limited outbound contact with SolarWinds.com.
Wales responded by writing that organizations that blocked outgoing connection attempts by Orion never saw follow-on exploitation. But he said that stopping those outgoing connections wasn't necessarily feasible for all organizations.
"CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralized the malware," Wales wrote.
Who Detected It? No One, CISA Says
The SolarWinds supply chain attack kick-started a range of measures from the federal government designed to shore up network security. Although attacks involving tainted software updates have occurred before, the scale and reach of the SolarWinds incident underscored the difficult of detecting supply chain attacks.
Wyden questioned how the attack evaded detection. The federal government runs the National Cybersecurity Protection System, a monitoring system, and Einstein, a component that acts as an early-warning intrusion detection and traffic monitoring system. Wales wrote that CISA is shifting the Einstein system from the perimeter to deeper inside federal networks to improve threat detection.
When the SolarWinds intrusions were occurring, "there were no as-of-yet known network-based prevention and detection indicators to identify this activity. This was true for the entire community of network defenders, including CISA," Wales wrote. "It bears noting that commercial capabilities using non-signature-based detection techniques were similarly unable to detect the SolarWinds intrusions at government and private sector victims."
In December 2020, FireEye was the first company to step forward, saying its penetration testing tools had been stolen by a nation-state actor. In the days that followed, FireEye's intrusion was pinned on the SolarWinds' Orion backdoor, and the list of affected companies and U.S. government agencies grew.