SolarWinds Incident Explained: Why User ID and Password Authentication Alone Cannot Prevent Cyberattacks

In 2020, as the world struggled with the global spread of COVID-19, another new virus quietly infiltrated many systems: Sunburst malware. This incident is one of the largest cyberattacks in history and will bring significant changes to the IT industry.

The catalyst for detecting this cyberattack was when the attackers attempted to log in using a FireEye employee's user ID and password.

In this blog, we'll introduce this cyberattack case study and explain why authentication should be strengthened.

Overview of the Incident: Damage Extended to 18,000 Companies, Including US Government Agencies and Major US Corporations

First, let's summarize the incident based on the blogs of the companies involved in this cyberattack.

FireEye, a leading cybersecurity company specializing in cyberattack detection and incident response, announced in a blog on December 8 that "the company had been breached by a nation-state attacker and its Red Team diagnostic tools, designed to test an organization's security program against real-world attack scenarios, had been accessed." Furthermore, on December 13, in collaboration with FireEye, Microsoft, and SolarWinds, they published their investigation findings in a blog post. For nine months leading up to the attack's detection on December 8, 2020, attackers infiltrated the networks of 18,000 companies, including FireEye itself, multiple US government agencies (including the US Department of Justice, Department of State, Treasury, Commerce, and Energy, all agencies well-versed in investigations), and major US corporations, transferring information and data to servers located in foreign countries.

Then, on December 17, Microsoft President Brad Smith stated in a company blog that "this attack has brought a moment of reckoning. We must confront the expanding threat and establish effective leadership in collaboration with governments and the US technology sector to mount a strong and coordinated response to cybersecurity." In the same blog, he explained that malware was embedded in the upgrade files of SolarWinds' "Orion" product, which was installed by over 17,000 customers, and that over 40 of these customers were targeted by the attackers to obtain more sophisticated information.

On January 7, 2021, SolarWinds' new CEO stated that "the Sunburst attack is believed to be one of the most complex and sophisticated cyberattacks in history." Furthermore, in a report to the SEC (U.S. Securities and Exchange Commission) on December 14, SolarWinds stated that the attack, suspected to involve Russia in early 2020, began with a compromise of their Microsoft Office 365 email. From there, attackers accessed other data in their office productivity tools and obtained the source code for their Orion product. They then completely hijacked servers on the network, embedded the Sunburst malware, and spread the damage by exploiting legitimate user updates. Finally, an incident response investigation on January 6, 2021 revealed that password guessing and password spray attacks were used in several cases.

"The best way for attackers to get into your system is to get you to use your ID and password" - How FireEye Inc. discovered the incident

How exactly did FireEye detect this incident?
It was FireEye, not a US government intelligence agency, that detected this cyberattack. If the company hadn't detected the attack, the incident would likely still be ongoing.

Attackers infiltrated the company and used the Sunburst malware to steal employee IDs and passwords. At an online panel event held on January 7, 2021, FireEye CEO Kevin Mandia explained the incident's detection, stating, "The attackers logged into the company's VPN in the same way an employee would typically use it." Normally, when an employee accessed the VPN, FireEye used multi-factor authentication, which involved generating a unique code on the employee's mobile phone and requiring the entry of a username and password. Because the attackers couldn't log into FireEye's VPN from outside with only credential information, they registered a device for multi-factor authentication, which automatically triggered an alert to the company's security team. Mandia stated, "Someone registered a device as a second factor for authentication and was accessing our network. When we contacted the employee whose credentials were used to verify, we found out that the access was not by that person." He continued, "Someone had registered a new device to bypass our multi-factor authentication. At this moment, we realized that the attackers were highly sophisticated." He concluded by saying, "For attackers, isn't getting users to use IDs and passwords actually the best way in?"

So, why is "getting users to use IDs and passwords the best way for attackers to intrude"?
The reason is that while major corporations, like FireEye mentioned earlier, do use multi-factor authentication, traditional password-centric authentication is still generally common. From March 2020, remote work became widespread due to the COVID-19 pandemic. Previously, logins from within the company often included access restrictions such as IP address verification in addition to passwords, but remote work, being password-centric, has made it even more vulnerable. Specifically, to protect information assets from Man-in-the-Middle attacks, logins are often routed through VPNs, but increasingly, only passwords are used for authentication to these VPNs. This is why "getting users to use IDs and passwords became the best way for attackers to intrude."

How to avoid cyber attacks: Passwordless Authentication and "Authentication Restoration"

The FIDO Alliance was established in 2012 with the aim of standardizing secure online authentication using biometrics, independent of passwords. Since then, major IT companies like Google and Microsoft have joined.
ISR joined the FIDO Alliance in 2014. In 2015 , we provided Pocket CloudGate, a dedicated application using the biometric authentication function of smartphones, through CloudGate UNO, a cloud-based authentication service for businesses. In addition, since 2019, we have been providing passwordless authentication using facial recognition and fingerprint authentication using security keys, Windows, and Macbooks.

Going forward, we believe that the COVID-19 pandemic is likely to subside with vaccines in the latter half of 2021. And at ISR, we call the transformation to fast, accurate, and cyberattack-resistant biometric authentication that doesn't use passwords an "Authentication Renaissance." We believe that starting in 2021, triggered by the SolarWinds incident, this passwordless authentication renaissance will spread. To prevent the expansion of damage from even one more cyberattack, we will strive for an authentication renaissance in Japan.