SolarWinds hackers could have been deterred by simple security measures, officials say

Blocking all outgoing connections to the internet would have minimised the impact

Implementing basic security measures could have helped deter or minimise the massive SolarWinds hack that enabled threat actors to compromise at least nine government agencies and hundreds of private firms.

In a letter sent to Senator Ron Wyden earlier this month, US Cybersecurity and Infrastructure Security Agency (CISA) acting director Brandon Wales acknowledged that firewalls placed in computer networks of victim organisations could have helped block the malware used in the SolarWinds attack.

"CISA agrees that a firewall blocking all outgoing connections to the internet would have neutralised the malware," Wales wrote, according to The Hill.

in February, Wyden contacted CISA with a list of queries about the agency's ability to spot zero-day exploits and other malicious network activity using its $6 billion EINSTEIN sensor system. Wyden asked why CISA had failed to detect network traffic that enabled hackers to install a corrupted SolarWinds update package and send additional payloads to compromised systems.

The SolarWinds hack was disclosed in December after the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA) were found to have been compromised in a massive cyber campaign.

The attackers were able to breach networks after compromising SolarWinds' network monitoring software Orion, which was widely used by various government departments and private companies.

The hackers inserted malicious code into legitimate software updates for the Orion software, which allowed them remote access into the victim's environment.

The White House blamed Russia for the intelligence coup and sanctioned several Russian officials and organisations in April. Russia has denied the allegations, saying it had no involvement in the hack.

According to Wales, the malware deployed by hackers would have been neutralised had victims set up their firewalls to block all outbound connection attempts from the servers running SolarWinds.

Several targeted organisations that had properly configured their firewalls were able to block outbound connections, with no "follow-on exploitation," Wales said.

According to Wyden's office, SolarWinds had earlier stated in its guidance that servers running its software were not required to send outbound traffic. The National Security Agency (NSA) and the National Institute of Standards and Technology (NIST) have also repeatedly warned organisations that servers that don't need to connect to the internet should be prevented from doing so.

Jason Garbis, the chief product officer at digital security firm Appgate, told Reuters that government networks using SolarWinds software should have had "even more constraints" around the software.

While there is no suggestion that restricting internet access on servers running SolarWinds would have completely foiled the hacking campaign, following digital security best practices would have definitely made government networks "much more resilient to these types of attacks," according to Garbis.

In his letter, Wales also responded to criticism that its EINSTEIN system failed to detect the SolarWinds malware.

Wales said that the agency is using $650 million in funding from the American Recovery Act to make CISA "better situated to identify threat activity within federal networks in near-real-time".