Cyber risk is event risk, a risk that is growing across all sectors globally.
Digitization continues to increase, making software more pervasive throughout an organization, which in turn drives ever more complex software supply chains while attacker capabilities are growing simultaneously. “However,” writes Moody’s in a research document, “the types of cyberattackers remain essentially the same: criminals, advanced persistent threat groups backed by nation states, and socially motivated attackers known as ‘hacktivists.'”
According to its report “Sunburst attack on public and private entities raises credit risks as extent of breach unfolds”, Moody’s believes that the scale and sophistication of the Sunburst attack will trigger profound shifts around cybersecurity risk management and oversight practices for debt issuers. In terms of the objective of the Sunburst attack, cyber experts view it as an intelligence gathering exercise that targeted government agencies and private corporations.
A highly sophisticated and well-resourced adversary, likely backed by a nation-state, was able to leverage access to SolarWinds‘ internal source code, and possibly that of other software providers, to act as a conduit into a huge swath of government and industry IT systems. SolarWinds is a mid-sized enterprise software company whose Orion network management and monitoring software is used extensively by industry and government IT teams.
“The sophistication of the malicious code implanted by the Sunburst attackers passed internal quality checks,” continues Moody’s report, “allowing them to bypass authentication protocols at the conduit companies and thus gaining footing across thousands of public and private organizations. The US Cybersecurity and Infrastructure Security Agency (CISA) says the parties behind the intrusion deployed a variety of tools at their disposal to further infiltrate their victims’ networks, including password guessing and password spraying to breach its targets.”
Following the disclosure of the attack, CISA directed government and government-related entities to power down or disconnect any identified software from federal networks. This step may have exposed those entities to other risks, however, as it might have decreased visibility across their networks. CISA also issued a technical alert providing details and mitigation strategies to help network defenders take immediate action.
“The next step was to determine whether or how the organization was compromised or affected”, reflects Moody’s. “This step is ongoing and leading to the discovery of some follow-on malicious activity. While the costs of each of these actions is generally containable, the potential losses from breached networks, including severe operational issues, compromised customer data and loss of intellectual property or trade secrets, are far greater.”