24 Dec 2020 Bulletin: Implications of the SolarWinds Breach for Waterfall Customers
Last updated: December 24, 2020
Industrial control system networks protected by Waterfall’s Unidirectional Security Gateways and related products are at minimal risk from the recent SolarWinds breach. This bulletin summarizes the SolarWinds breach and recommends risk assessment and risk mitigation actions for unidirectionally-protected networks.
Readers should note that the details of this breach are still coming to light. Waterfall recommends that customers track this issue closely, because further analysis of the malware and the adversary may reveal additional attack behaviors and threats.
Background: SolarWinds Breach
On December 8, 2020, FireEye disclosed that they had been breached by a sophisticated threat actor. On December 13, FireEye released a detailed analysis of the breach, identifying and describing malware inserted into software updates for the SolarWinds Orion network management system product. SolarWinds has issued a security advisory detailing the affected updates and versions. The company has also issued a statement indicating that up to 18,000 customer organizations may have installed the compromised updates.
The FireEye bulletin describes the attack as sophisticated:
- The compromised update was signed with SolarWinds keys and so appeared to be a legitimate software update.
- The malware used sophisticated techniques to detect and evade sandboxing anti-virus checks.
- The malware provided remote-control capabilities to an Internet-based command and control center (C2).
- Communications with the C2 were steganographically encoded to evade network intrusion detection systems and deep packet inspection systems.
- C2 communications were designed to deceive security personnel by using IP addresses in the countries of targets and host names selected from the networks of targets.
- Microsoft reports that the remote-control malware appears to have been operated actively at only a very small fraction of the 18,000 possibly-affected organizations.
Organizations who may have installed the compromised SolarWinds Orion updates anywhere in their industrial or enterprise networks need to take measures to control their risk. A list of useful resources and mitigation advice is at the end of this bulletin.
By far the most common design for networks protected by Waterfall’s Unidirectional Security Gateways is a “unidirectional only” design where:
- Waterfall’s Unidirectional Security Gateways are the sole connection between the protected industrial network and any external networks, and
- The gateways are oriented to transmit information exclusively from the protected industrial network out to external networks.
In these networks, there is no way for a compromised enterprise network or other external network to extend the influence of attackers through the Unidirectional Gateways into the protected industrial network.
Furthermore, even if compromised SolarWinds Orion software updates have been installed on the protected industrial network, the current analysis of the malware suggests that there is minimal risk. Current analysis indicates that beyond installing itself on a compromised machine, the malware takes no further action until it receives instruction from the adversary’s Internet-based command and control center (C2). No such instructions can penetrate through Unidirectional Security Gateways to reach the malware.
Waterfall therefore recommends that customers examine their unidirectionally-only industrial networks. If the compromised SolarWind Orion software updates were installed on any machines in those networks, Waterfall recommends that the affected machines be erased and rebuilt from known-good media.
Other Unidirectional Networks
For other types of unidirectionally-protected networks, there may be additional risks. For example, some customers have networks that are unidirectional-only with one exception: a Waterfall Secure Bypass unit installed to provide physical control over occasional interactive remote access. If an enterprise network has been compromised and actively exploited by the adversary behind the SolarWinds malware, then there is a risk that remote access credentials and technologies have been stolen or compromised, respectively. These compromises might then permit an adversary to extend their influence into the industrial network during periods of time when the Secure Bypass module is activated.
For customers in these circumstances, Waterfall recommends that customers examine the kinds of connectivity enabled while the Secure Bypass module is engaged and examine industrial networks for potential exploits of such connectivity. For example: at the very least consult logs and tamper-proof forensic records of interactive remote access sessions and ensure that all such sessions, which occurred since the malware was installed, were legitimate.
Waterfall customers who would like assistance with assessing risks of networks whose external connectivity is not exclusively unidirectional-only should contact Waterfall Security Solutions personnel directly for such assistance.
Unidirectional-only networks are much less at risk than networks protected only by firewalls, encryption, intrusion detection and other software measures.
Waterfall recommends that all customers track this attack closely, because further analysis of the malware or of the threat actor may reveal other relevant attack behaviors and risks. For example, there are reports of a second class of malware inserted into SolarWinds updates by a different threat actor. Little has yet been published of the characteristics of this malware.
In all cases, Waterfall customers should feel free to consult Waterfall security and solution architect experts for assistance in understanding the capabilities of Waterfall’s extensive line of unidirectional products and in understanding how such capabilities serve to protect against attacks like this one.
- SANS Emergency Webcast: What you need to know about the SolarWinds supply-chain attack
- CISA Current Activity Alert “Active Exploitation of SolarWinds Software
- CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise
- SolarWinds Security Advisory
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- FireEye GitHub page: Sunburst Countermeasures
- Activity Alert 20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Organizations