In December 2020, SolarWinds, Inc., a leading provider of network performance monitoring tools used by organizations of all sizes across the globe, suffered a supply-chain attack from a malware known as SUNSPOT.  This was a significant attack not just on the part of SolarWinds, but also its 18,000+ clients which include US government agencies (Commerce, Treasury, Homeland Security and Justice) and Fortune 500 companies. This has left valuable data assets and the security of the affected organizations completely exposed and compromised – even to this day.

Decentriq is focused on providing organizations a secure way to share and collaborate on sensitive data, so naturally this incident was relevant for us to understand and digest. We want to provide a breakdown of the events that led to this breach, what it means for impacted companies, and how our platform helps mitigate against attacks like SUNSPOT.

How did it happen?

The SUNSPOT breach is widely regarded as a sophisticated supply-chain attack, which refers to a disruption in a standard process that compromises the end-users of the software, leaving them vulnerable to cyber security attacks.

  1. SUNSPOT code infiltrated a software patch update from SolarWinds’ Orion IT management product.
  2. SolarWinds notified clients of a software update to Orion and urged them to download the patch.
  3. SolarWinds’ clients downloaded the patch in a business-as-usual process, the malware entered their IT infrastructures through this “trojan horse.”

The breach that set off the series of events leading up to the Orion attack happened well in advance, as early as March 2020, and went undetected for many months at SolarWinds due to safeguards added to the malware that allowed the Orion platform to run as usual and any breach undetected to developers.

Even after deployment, the malware was not detected in the Orion software update until FireEye, a cybersecurity research firm that was attacked separately, flagged the breach.

How are affected organizations responding to the breach?

It is obvious that the breach has had a dire impact on affected organizations. According to an article from Government Tech, American businesses and government agencies could be spending over a $100 billion and many months of time to contain the damage incurred in their exposed data.

Unlike good wine, this case continues to get worse with age,” said Frank Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. “For a lot of folks, the more they dig, the worse the picture looks.

A lot of effort is underway at each affected organization to assess exactly how their IT infrastructure were compromised, and what kind of data has been lost and/or exposed. This can be extremely complicated especially in a digital environment.

Since the attack went undetected for months, it could have created “lots of opportunities (for the adversary) to go in many different directions,” says Steve Grobman, the chief technology officer at McAfee.

Depending on the outcomes, which can take months to pinpoint, those organizations also may need to take steps to publicly alert the government and stakeholders.

How does data collaboration on Decentriq mitigate similar breaches?

This incident has forced all organizations to re-evaluate their existing cyber security processes to ensure they are protected against future attacks as sophisticated as SUNSPOT. With the value of data that could be at risk, organizations need to set-up their defense protocols with the assumption that their infrastructure can and will be compromised.

Decentriq’s goal is to provide an easy yet secure way for organizations to analyze and collaborate particularly with sensitive data. While we care for a specific data need, malware like SUNSPOT reiterates that organizations need to go beyond “business-as-usual" methods in securing their data assets.

Decentriq’s platform enables end-to-end encryption for data analysis and collaboration, internal or external, guaranteeing that no data is exposed to any unintended user. This is made possible thanks to the underlying technology we use called confidential computing developed with Intel SGX.

Because of confidential computing technology, Decentriq protects sensitive data against malware like SUNSPOT because:

  1. Confidential computing imposes security best practices like reproducible builds. Every time a program runs, the user will then be able to identify if the cryptographic signature matches one of the audited builds to ensure that the executable code is uncompromised.
  2. All data flowing through Decentriq is encrypted through the cryptographic primitives provided by the confidential computing technology. This means that your sensitive data is separate from the rest of the organization’s infrastructure, and it is always encrypted. In the SolarWinds case, SUNSPOT would not be able to infiltrate any data housed in the Decentriq environment even if an organization is compromised.

Chris Inglis, former Deputy Director of the United States National Security Agency, says,

"SolarWinds makes clear that supply chains do not defend themselves and that, in light of the complex strands of effort involved, any trust conveyed to them must be assured by analytics that yield insight on their provenance and actual behavior.  
Decentriq's privacy preserving analytics provide a valuable tool in defending supply chains without compromising on sensitive data or trade secrets."

Ensuring a secure yet productive data ecosystem will be a key initiative for organizations going forward. Decentriq is dedicated to helping organizations develop such data ecosystems not just as a security mechanism but also turning that data into actionable insights driving your business ROI.