SolarWinds hackers could have been halted by simple security measure - report

A separate probe into the SolarWinds hack is examining whether companies failed to notify they had been breached.
A separate probe is examining whether companies failed to notify they had been hacked. Photo credit: Getty Images

Following a decade-old security recommendation could have helped stymie the Russian hackers who ran amok across federal government networks last year, the Department of Homeland Security's digital defense arm said in a letter sent earlier this month.

As the United States prepares to pour billions of dollars into shoring up its cybersecurity following a series of dramatic intrusions by foreign hackers, the acknowledgement from the Cybersecurity and Infrastructure Security Agency (CISA) highlights how basic digital security measures can help defeat or at least mitigate the impact of even the most severe breaches.

The June 3 letter, sent by CISA to Senator Ron Wyden, concerned the sprawling espionage campaign that hijacked software from Texas-based SolarWinds Corp to compromise nine government departments, a months-long effort that led to the theft of thousands of US officials' emails and is already racking up hundreds of millions of dollars in cleanup costs.

The hackers - alleged to be Russian operatives - pulled off the intelligence coup by subverting SolarWinds' widely deployed networking monitoring program and using it to plant malicious software on thousands of clients' servers, eventually singling out a smaller number for in-depth exploitation.

CISA said that had those victims configured their firewalls so that they blocked all outbound connections from the servers running SolarWinds, it "would have neutralised the malware."

The agency said that several targets who did set up their firewalls that way "successfully blocked connection attempts" and had no "follow-on exploitation."

Wyden's office cited SolarWinds as saying that servers running its software had no need to send outbound traffic.

Guidance from the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) has warned for more than a decade that servers that don't need to connect to the internet should be prevented from doing so - a principle that's akin to the idea that doors that don't need to be opened should be bolted shut.

The servers running SolarWinds inside government networks "should have had even more constraints around them," said Jason Garbis, who serves as the chief product officer for digital security company Appgate.

There's no suggestion that sealing the servers running SolarWinds off from the internet would have completely foiled last year's hacking campaign; the spies used a variety of sophisticated tactics to carry out their espionage work.

But Garbis said following security best practices would have made government networks "much more resilient to these types of attacks."

Meanwhile the US Securities and Exchange Commission (SEC) has opened a probe into the breach, focusing on whether some companies failed to disclose that they had been affected by the unprecedented hack, two persons familiar with the investigation said.

The SEC sent investigative letters late last week to a number of public issuers and investment firms seeking voluntary information on whether they had been victims of the hack and failed to disclose it, said the persons, speaking under the condition of anonymity to discuss confidential investigations.

The agency is also seeking information on whether public companies that had been victims had experienced a lapse of internal controls, and related information on insider trading.

The agency is also looking at the policies at certain companies to assess whether they are designed to protect customer information, one of the people said.

The SEC's press office declined to comment.

A spokesperson for SolarWinds said in a statement: "Our top priority since learning of this unprecedented attack by a foreign government has been working closely with our customers to understand what occurred and remedy any issues."

The company was also "collaborating with government agencies in a transparent way," the statement said.

US securities law requires companies to disclose material information that could affect their share prices, including cyber breaches, although cyber security disclosure failures are still relatively new enforcement territory for the SEC.

If the issuers and investment firms respond to the letters by disclosing details about the breaches, they would not be subject to enforcement actions related to historical failures, including internal accounting control failures, the people said.

While the letters are focused on the SolarWinds breach, the SEC may develop future policies on the impact of cyber security issues on the markets and on investors, the people said.