Reflecting on the recent SolarWinds breach and exploitation of the Microsoft Exchange 0-day, the associated threat actors started from the beginning of the Cyber Threat Cycle. They needed to run reconnaissance to identify the right target and instigate the initial attack.
This is key to the first part of Zix Layered Protection. Preventing the initial attack takes the least amount of resources and can save the organization the biggest headache. Further, many fail to realize that the majority of successful attacks are rooted in well-established techniques. Similar to the principles of their security counterparts, threat actors balance sophisticated techniques with ease of use. If there is an easy way to infiltrate a target, they will always go that route. The SolarWinds breach was years in the making, as sophisticated as the technique was to drop malware into the SolarWinds Orion system, the breach was almost certainly started with an email. We can make this assumption given the evidence that has been discovered.
Inside the SolarWinds breach
Reconnaissance and attacking the target
There are numerous ways to collect reconnaissance from a target to determine the right attack, and in the SolarWinds case it would appear that email was a primary research tool and ultimately the attack vector.
Points of evidence:
- According to the SEC filing, email was a primary attack vector during the initial SolarWinds attack and APT29 are known to launch phishing attack campaigns as a tactical strategy.
- During the Malwarebytes breach, their investigation uncovered that the, “attackers leveraged a dormant email protection product within their own O365 tenant.”
- Microsoft reported to Crowdstrike that a reseller account was being used to read emails that were linked to Crowdstrike.
Infiltrating the target and evading detection
With a spear phishing attack the technique most likely to have been used to initially compromise SolarWinds, there was still no guarantee that the threat actors would be able to move within the environment without the right privileges and ensuring that their activities were going undetected.
Yet according to published details:
- Hackers gained privileged access to restricted systems
- Hackers were communicating via Command and Control infrastructure
- Hackers were altering file systems to prevent detection
Considering these key points, an effective advanced email threat prevention and encryption solution must be part of the layered security framework.