07-01-2021 | | By Sam Brown
Recently, Intel and Nvidia announced that their systems had been compromised by the malware infecting SolarWinds software. What is SolarWinds, how was it infected, and what does this mean for Intel and Nvidia?
On December 13th 2020, it was announced that an outside organisation had attacked multiple government branches in the United States of America. The attack itself emanated from a commonly used enterprise software piece, SolarWinds, which is used to manage networks and systems.
When the attack was announced, SolarWinds announced that versions 2019.4 to 2020.2.1 were infected with the malware, and estimated that 18,000 of its 33,000 customers were affected. Once the announcement was made, government agencies were immediately told to disable SolarWinds software to prevent further attacks. The investigation into the attacks has led many to believe Cozy Bear is responsible (a hacker group thought to be run by the Russian government).
The attack itself, called SUNBURST, is a backdoor that allows remote attackers entry into a system using HTTP, and the backdoor was integrated into SolarWinds software. When SolarWinds operates, the malware runs in memory and is embedded into SolarWinds, making it hard to identify and detect.
Furthermore, since SolarWinds executes the backdoor, any code that runs through the backdoor shares the trusted certificate with SolarWinds, thereby making the malicious code look authentic. From a technical stand-point, the hackers had gained superuser access, and from there, they created their own tokens, which allowed the hackers to access highly privileged networks further.
When hackers are shown in films typing thousands of lines of code, many would assume that hackers use complex methods to gain entry. However, the reality is that hackers almost always gain entry into systems via the stupidest mistakes made by users, designers, and engineers.
According to multiple sources, SolarWinds had used the password “solarwinds123” on their FTP server, and this password was uploaded to GitHub. A coder noticed this vulnerability who decided to use the credentials to upload a test file and then send an email alerting them of the data breach. Despite being sent a response thanking him for identifying the mistake, the company continued to make more security mistakes.
Firstly, it was also reported that SolarWinds instructed users to disable anti-malware software when installing and operating their systems. Secondly, when the backdoor DLLs were identified, SolarWinds did not pull or change the updates from their site, and multiple users were able to obtain these files and view the backdoor code.
The list of companies affected by the SUNBURST malware continues to grow, and both Intel and Nvidia recently made press statements announcing how they have also been affected. According to both companies, the malware has not contributed to a loss of data or theft, but this cannot be said for certain.
However, Intel and Nvidia are companies at the forefront of semiconductor technologies, and the theft of this data could be devastating on several fronts. To start, IP theft could see a foreign party develop competitor products that either outright violate IP law or modify the IP enough to pass it as their own. Furthermore, the loss of IP data could see a foreign competitor release product before the IP holder can, thereby making it harder to defend IP in court.
The loss of such data also puts national security at risk; the development of the latest processors and graphics units helps put a country in a strong military position. Most defence technology is based on electronics, and having the best processors means that military equipment will also have some of the best advantages. A foreign nation with access to sensitive processor design techniques such as those developed by Intel or Nvidia (remember, GPUs are extremely important for visual applications), can use those technologies in their military designs.
The simple reason behind all of the problems caused by SolarWinds stems from one word; stupidity. IoT and IIoT technologies have demonstrated how designers and engineers alike are not taking security seriously. When a company dealing with network management allows for passwords like “solarwind123”, it questions if laws and regulations need to be made stricter to ensure that products developed by companies, and those that operate them, follow basic security protocols.
Having strong passwords to not allowing default credentials does not take much to secure a design enough to make it challenging to break into. No system is safe, and hackers will always find ways into a system. However, hackers almost always exploit people's stupidity as opposed to obscure attacks utilising a deep knowledge of the fundamentals of the system. In the case of SUNBURST, it was a password that should have never existed, which should have never been put into a code file and should have never been uploaded to a public space.