Learning lessons from a cyber attack that rocked businesses across the globe

In December 2020, a cyberattack on leading provider of IT management software was discovered.

The organisation, which known for serving a vast array of clients, including Fortune 500 companies and government agencies, was the victim, which was initiated by inserting malicious code into an Orion software update.

Cyber attack 450

This was then distributed to approximately 18,000 customers, allowing attackers to gain access to sensitive data and systems across a wide number of organisations.

The case study appears in a new Gallagher cyber report, which was launched at the FERMA Forum in Madrid.

The insurer says that it’s a good example of systemic risk in the cyber realm, which is growing ever more prevalent.

Understanding the attack

The malicious code, known as “Sunburst,” was embedded into the software platform updates between March and June 2020.

When customers installed these updates, they inadvertently provided the code with a backdoor into company systems, enabling hackers to conduct reconnaissance, access and escalate privileges, and move laterally within networks.

Concerningly, the attack went undetected for months, allowing extensive data theft and system compromise.

Dates of the attack:

  • September 2019: Cyber criminals gained uncertified access to the organisation’s network
  • October 2019: Preliminary code injection into Orion tested by malicious entities
  • February 2020: Malicious code called “Sunburst” successfully administered into Orion
  • March 2020: The organisation involuntarily starts pushing out Orion software updates incorporating the malicious code 
  • Unfortunately, the code is still circulating, even though reports suggest that a kill switch is now in place to prevent further losses.

Investigating the impact

Gallagher says that the attack exemplifies systemic risk due to its far-reaching impact on multiple critical sectors.

Key affected entities included: 

  • Government agencies: US federal departments such as Homeland Security, Treasury, and Commerce were compromised, threatening national security.
  • Private sector: Major corporations, including Microsoft, Cisco, and Intel, faced significant breaches, leading to potential intellectual property theft and operational disruptions.
  • Global reach: The attack affected organisations worldwide, demonstrating the global interdependencies in cybersecurity.

Takeaways

Gallagher says this cyber-attack underscores a number of critical lessons about systemic risk in the cyber domain.

  • Interconnectedness: The extensive use of installed software across various industries and government agencies illustrates the interwoven nature of modern IT infrastructures. A breach in one vendor can propagate across a vast network of clients.
  • Supply chain vulnerability: The attack highlighted the importance of securing the software supply chain. Organisations must rigorously vet and continually monitor their third-party vendors to mitigate similar risks.
  • Detection and response: The prolonged undetected period of the attack emphasises the need for advanced detection mechanisms and rapid response protocols to identify and mitigate breaches swiftly.

In 2024, these vulnerabilities continue to evolve.

Businesses must therefore adopt a holistic approach to supply chain management, ensuring that their cybersecurity measures extend beyond their own operations to encompass their entire supply chain network.

Visibility into third-party risk mitigation practices is often limited, making it difficult for businesses to fully understand and manage these risks. Conducting thorough due diligence on technology supply chain partners and asking pertinent questions about their cyber risk protection priorities is essential.

A new approach to cybersecurity

Gallagher says that the current threat landscape demands a new approach to cybersecurity. And that technological advancements and the consequent increase in exposure require a considered and cohesive approach.

New organisations often have an advantage in this regard, as they can develop their cybersecurity measures from the ground up. In contrast, more established organisations may face significant legacy challenges.

Many large corporations continue to rely on outdated systems, making it difficult to integrate the necessary new IT security measures. While some organisations have invested heavily in this area, others have lagged behind.

Gallagher adds that building a cybersecurity culture from the top down is crucial. It is also important to acknowledge that this is not only the responsibility of IT departments, as this requires a collective effort from all employees.

Nick Barker, head of cyber for Gallagher Specialty said: “Cyber as a risk has risen up the risk register for organisations in Europe, driven primarily by three main factors — a more stringent regulatory environment, heightened threat landscape and increased technology adoption.

“A cultural change is critical. Building a cybersecurity culture where all employees understand their role in protecting the organisation fosters a collective effort to create a more resilient and secure environment.”