A SolarWinds-style Attack Has Happened Before-Cybersecurity Lessons Learned

  /  ICS Security   /  A SolarWinds-style Attack Has Happened Before-Cybersecurity Lessons Learned
ICS Cybersecurity

A SolarWinds-style Attack Has Happened Before-Cybersecurity Lessons Learned

A SolarWinds-style cyberattack happened back in in 2013-14 that affected big government agencies and thousands of companies. What should we have learned from the Dragonfly/HAVEX attack?

Software Infiltration

A cyberattack group called Dragonfly attacked power plants and industrial sites, employing a very similar tactic to SolarWinds. “The technique of injecting into a supply chain is absolutely identical,” said Eric Byres, CEO of cybersecurity company aDolus.

Dragonfly hit three companies in Europe that made software for plants, infiltrating and contaminating some software available for download. When plant employees downloaded the software, they also downloaded malware known as Havex, which was designed to target industrial control systems, according to Erik Hjemlvik of Netresec.

The malware created a backdoor, or secret connection, so attackers could infiltrate the industrial and power plants and suck away info about how to run and control these critical systems.

Cybersecurity Lessons (That Should Have Been Learned) 

Byres developed a platform to dissect what’s inside software, to see what’s inside your ‘can of soup,’ so to speak. It wouldn’t have prevented the SolarWinds attack, he said, but it would help uncover it. “We need to start getting visibility into the bits and pieces of software that we load onto our plants,” Byres said.

“Where did I get it? Where did my suppliers get it from? Where did their suppliers get it from?” he asked. “If we don’t have the visibility, the bad guys will coattail in on something.”

Organizations need to be careful about what software they trust, Hjelmvik told Archer News. They need to limit Internet traffic going out of their networks, which could make it harder for attackers to do malicious things with the systems.

Also, they should instrument their systems better so they can do forensic analysis after an attack and find out what happened, he recommended. “Software supply chain attacks is a problem we need to learn how to handle,” Hjelmvik said.

Watch the full interview with Eric Byres, CEO of aDolus, Inc.