True Fraud Increases - Fallout from the SolarWinds Hack

Table of Contents

1. What is the SolarWinds Security Breach?  
2. What is SUNBURST?  
3. Who Has Been Affected by the SolarWinds Hack?  
4. Major Companies Affected by SUNBURST Malware (As of January 2021)
5. What Does the SolarWinds Hack Mean for Retailers?  
6. How Can Merchants Protect Themselves from Chargebacks After the SolarWinds Hack?  
7. Conclusion
8. Frequently Asked Questions

Data breaches are a continuing problem for businesses around the country. Just in 2019, a single data breach cost a company, on average, $8.19M. Some of the more notable breaches in 2019 include: 

1. Manor Independent School Districts lost $2.3M due to a breach from a phishing scam. 
2. A data breach with Postbank in South Africa cost the company $3.2M in funds. 
3. A Cisco engineer caused significant damage to WebEx accounts and stored information, costing the company $2.4M in repairs and personal data recovery. 

These cases do not include the several thousands of breaches that have occurred over the last decade. With the recent data breach of the SolarWinds Orion platform, we believe similar, if not larger, breaches and costs could be coming down the pipeline. That being said, let's take a look at what we've seen and what we're anticipating in the wake of this new security breach.

What is the SolarWinds Security Breach?  

In December 2020, security firm FireEye reported a serious breach of their systems and determined that it was the result of a state-backed individual or group of individuals. At the time, FireEye’s continuing investigation seemed innocuous enough and contained within their systems, and the company was saying little to nothing about their findings.   

It was shortly thereafter that FireEye demonstrated far more serious: that their security breach was the result of a much larger hack targeting the SolarWinds Orion network management software. What had started as a relatively localized attack quickly spiraled into what is being called one of the largest cyberattacks in U.S. History.   

With the potential exposure of thousands of businesses, many companies are wondering where they might stand in light of this revelation, and what they can expect in the future. Here, we’re going to discuss the hack in greater detail and how it may impact retail businesses. This discussion will include some insights into what effects the hack might have on chargebacks and credit fraud. 

SolarWinds is an IT management and remote monitoring software provider offering several different products covering network management, database management, managed services, and security. One of their more notable products, the Orion infrastructure management tool was built to provide “powerful, scalable infrastructure monitoring and management... to simplify IT administration for on-premise, hybrid, and SaaS environments”.   

According to the Washington Post and other technical and trade publications, the Orion platform was compromised in mid- to late-2020 (possibly as early as March or April).

A hacker group known as “Cozy Bear” with well-known ties to Russian intelligence compromised the update files for Orion systems so that update packages pushed to customer platforms would be infected with malware known as SUNBURST.   

As of January 5 2021, the U.S. Intelligence community has officially blamed Russian state-sponsored hackers as the source of the attack. With the inauguration of the Biden administration, there has been increased attention paid to the breach, with the President instructing U.S. Intelligence to investigate the matter fully.

Unique to this particular breach, the attackers did not immediately begin to mine information or destroy systems. Their campaign of stealth was pushed through to minimize exposure and to stay hidden for as long as possible. The malware would wait for as long as 2 weeks before notifying the attackers that it had entered a new user’s system. During that 14-day period, the malware gathered user data and credentials, customer data, and other information existing on the system.   

All-in-all, the attack has potentially affected up to 18,000 SolarWinds customers, and the full extent of the damage is not known. More importantly, most security experts claim that the hack is still ongoing, and the malware and the attackers still pose a risk to infected systems, especially those who aren’t aware they’ve been infected.   

What is SUNBURST?  

According to FireEye, SUNBURST is a malware backdoor that was inserted into a program library SolarWinds.Orion.Core.BusinessLayer.dll to allow access to infected Orion systems. The malware lies dormant for 2 weeks after infection, after which it begins to communicate with malicious domains to retrieve commands, transfer files, and manipulate the infected machine.   

While the full payload of the malware isn’t completely understood yet, it is known that it disguises its operations as legitimate Orion commands and features. It also uses a system of stolen credentials to perform legitimate operations inside a system, rather than brute-forcing security barriers.   

The malware was first discovered by FireEye in their systems having stolen multi-factor authentication credentials.  

Who Has Been Affected by the SolarWinds Hack?  

Currently, the full roster of infected systems is expanding, and many potential victims may not even know they’ve been struck. There are multiple companies that have come forward to protect their users, but there are even more without the proper security or reporting tools to catalog such an attack:  

• Oil, water, electricity, and gas companies. Experts are claiming that one of the major goals of this hack seems to be gathering data to impact critical infrastructure. Several regional utilities using the Orion software are potentially affected. Problematically, many energy and water companies do not maintain extensive reporting or logging as part of any compliance standards, which is limiting a full reckoning of their vulnerabilities.   
   
• Government agencies. Reuters has reported that the SUNBURST malware tied to the hack appeared to be monitoring the emails of U.S. Treasury emails. Additionally, the New York Times reports, and officials confirm, that the State Department, the Department of Homeland Security, and some parts of the Pentagon appear to be compromised.   
   
• Technology companies and retailers. Microsoft has openly admitted that they have been affected by the breach and have taken steps to protect their infrastructure. Likewise, Intel, Nvidia, Cisco, and Visa have either reported on their own infection or, at a minimum, their exposure and mitigation.   

SolarWinds serves a number of customers across multiple industries, including corporations like Comcast, AT&T, and MasterCard. In fact, more than 425 members of the Forbes 500 were using some form of SolarWinds products.  

Major Companies Affected by SUNBURST Malware (As of January2021):  

• Microsoft  
• Cisco  
• Intel  
• Nvidia  
• Visa  
• MasterCard  
• Equifax  
• Qualys
• Mimecast
• Fidelis Cybersecurity
• Malwarebytes

As you might see, many of these companies either work as managed service providers or cybersecurity consultants.

While these companies have either denied infection or have remained silent during their own investigations, it simply signals to the rest of us that we don’t know how far this breach has gone.   

What Does the SolarWinds Hack Mean for Retailers?  

There are a couple of approaches here: a more immediate concern and the far-ranging implications.   

If you are a customer or user of SolarWinds technology, you have an obligation to secure your systems and, most likely, work with security professionals to identify the extent of your infection and the exposure of company and customer data.   

Outside of direct assessment, however, could have far-ranging effects on retailers across the board. Security experts are reporting that several of the affected companies are in the banking, finance, and payments industry, which means that consumer data has also potentially been compromised.  

Furthermore, the interconnected nature of an infrastructure attack only increases vulnerability exposure. Microsoft has already reported that SolarWinds binaries were found in their Microsoft 365 environments and have potentially affected 40 of their own customers.   

While there are no guarantees right now, and no one wants to speak out of turn for fear of inciting panic, there are several potential outcomes that could impact retailers and the payments industry:  

1. A widespread compromise of consumer information from even one financial institution could trigger a wave of identity theft and fraud. If credit or other financial information has been compromised and distributed, then it could be used as a launching point for state-promoted attacks on major businesses and retailers in the U.S.  
    
2. True fraud chargebacks could spike. With a large volume of stolen credit and banking information, retailers could see a spike in legitimate chargebacks. As customers wrestle with potential theft of their information, merchants may also wrestle with legitimate-seeming transactions that end up as chargebacks.  
    
3. Friendly fraud could also rise. People who know how to work the system may take advantage of the situation to attempt to make purchases and see if the transactions will get caught up in the wave of fraud.  

How Can Merchants Protect Themselves from Chargebacks After the SolarWinds Hack?  

Retailers are going to protect themselves by investing in Chargeback Prevention and Recovery as a key part of their business strategy. Not only will this approach help mitigate chargebacks, but it will help customers who have become victims themselves.   

1. Tighten your security and compliance measures. It may go without saying, but as the fallout from the hack spreads you must, must audit, upgrade, and rebuild (if necessary) your security systems. At the time of this writing, more companies are discovering their vulnerability, and numerous cloud and managed service providers are updating their software.   
    
   Work with expert security professionals, get your systems compliant with relevant industry standards, and audit your entire payment processing and database systems for potential security risks.   
    
2. Focus on verification and authentication. Fraud is already a major problem for retailers. If major credit, banking, or retail databases have been compromised we could be seeing another wave of friendly fraud chargeback over the next 6 months. It’s critical for retailers in any industry, but specifically for those using online storefronts, to ensure that they have secure verification and authentication measures in place.  
    
   As a business strategy, it also serves retailers to use secure methods of verification like 3-D Secure 2.0 or EMV Secure Remote Commerce (SRC).  
    
3. Work with chargeback representment company. The complexity of the hack and its potential impact on merchants means that predicting and preventing chargebacks, whether legitimate or not, almost impossible without the right tools.  
    
   A data-driven prevention and alert provider can help mitigate chargebacks by managing legitimate chargebacks through alerts so that they do not impact your chargeback ratio. Likewise, these companies can help you fend off fraudulent chargebacks by building dispute packages that win chargeback disputes.   

Conclusion  

The SolarWinds hack is the defining event for cybersecurity in the new decade, one that will shape how businesses and public institutions frame their security and data agendas. Merchants in the U.S. will likely see more indirect fallout from them even through credit fraud and subsequent chargebacks.  

Best practices for chargeback prevention are still effective parts of your business strategy. Protect your reputation with strong fraud protection and ensure that customers suffering from credit card fraud get prompt support. At the same time, refocus on your security and representment priorities on preventative measures.

SolarWinds Hack FAQ

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com.