The SolarWinds Attack
Our enemies are getting more brazen and sophisticated in their cyber warfare.
While President Trump continues to sulk over losing his re-election bid, his government is scrambling to deal with the latest cyber attack from Russia and various parties are weighing in to tell us that it is huge and ongoing.
WSJ has an excellent roundup that’s thankfully not paywalled at the moment (“Hack Suggests New Scope, Sophistication for Cyberattacks“):
The suspected Russian hack that compromised parts of the U.S. government was executed with a scope and sophistication that has surprised even veteran security experts and exposed a potentially critical vulnerability in America’s technology infrastructure, according to investigators.
As the probe continues into the massive hack—which cast a nearly invisible net across 18,000 companies and government agencies—security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years.
The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.
They provide this helpful illustration:
The hackers used the digital equivalent of a spy’s disguise to blend in with the flood of data flowing through government and corporate networks and remain undetected. They snatched up years-old but abandoned internet domains and repurposed them for hacking, and they named their software to mimic legitimate corporate tools. Most devastatingly, they sneaked their malicious code into the legitimate software of a trusted software maker—an Austin-based company called SolarWinds Corp. and its software called Orion.
The Cybersecurity and Infrastructure Security Agency tasked with protecting U.S. networks, in an alert Thursday, said it had evidence that the hackers have managed to break into computer networks using bugs other than the SolarWinds software. The alert labeled the hack a “grave threat” to compromised victims, which it said include multiple government agencies, critical infrastructure entities and private sector companies.
Hours later, the National Security Agency, America’s top cyberspy organization, issued a broader warning to defense agencies and contractors about vulnerabilities such as those exposed by the SolarWinds attack. Hackers, it said, were finding ways to forge computer credentials to gain wider access across networks and steal protected data stored on in-house servers and cloud data centers. The approach, the NSA said, may have been used in an attack on VMware Inc. software used in national security circles that the spy agency warned about earlier this month.
Government officials and cybersecurity experts have concluded that Russia is likely responsible for the hack, in part due to the extreme skill involved as well as other classified clues, according to people familiar with the matter. At least two senators who have received briefings in recent days have openly referred to it as a Russian operation. Moscow has denied responsibility.
Government officials and lawmakers are still working to understand the full consequences of the hack, which is viewed as a classic but highly successful attempt to spy on internal communications and steal information that could be valuable to Moscow’s intelligence agencies. It isn’t considered a destructive attack that damaged or shut down computer systems, as some major cyberattacks have done in the past
Microsoft president Brad Smith has declared the need for a global response, using some rather alarmist language:
This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms. It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous. As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response. [emphases mine throughout-jj]
He joins others in highlighting the severity—and ongoing nature—of the latest attack:
The first is the continuing rise in the determination and sophistication of nation-state attacks. In the past week this has again burst into the headlines with the story of an attack on the firm FireEye using malware inserted into network management software provided to customers by the tech company SolarWinds. This has already led to subsequent news reports of penetration into multiple parts of the U.S. Government. We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations. As FireEye CEO Kevin Mandia stated after disclosing the recent attack, “We are witnessing an attack by a nation with top-tier offensive capabilities.”
As Microsoft cybersecurity experts assist in the response, we have reached the same conclusion. The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.
He assesses the breakdown of who was hit this way:
Additionally, he makes a strong claim that contradicts most of what I’ve seen from my national security types:
This is not “espionage as usual,” even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.
Additionally, they’re more sophisticated that previous attacks:
These types of sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape.
Further, while this capability has been limited to a handful of state actors, with Russia as the most malign (and presumptively behind this attack not only because of its characteristics but because they’ve been unhit),
All this is changing because of a second evolving threat, namely the growing privatization of cybersecurity attacks through a new generation of private companies, akin to 21st-century mercenaries. This phenomenon has reached the point where it has acquired its own acronym – PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.
This represents a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks. And if there has been one constant in the world of software over the past five decades, it is that money is always more plentiful than talent. An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.
Not surprisingly, he wants united action against this set of threats:
Put simply, we need a more effective national and global strategy to protect against cyberattacks. It will need multiple parts, but perhaps most important, it must start with the recognition that governments and the tech sector will need to act together.
The new year creates an opportunity to turn a page on recent American unilateralism and focus on the collective action that is indispensable to cybersecurity protection. The United States did not win World War II, the Cold War or even its own independence by fighting alone. In a world where authoritarian countries are launching cyberattacks against the world’s democracies, it is more important than ever for democratic governments to work together – sharing information and best practices, and coordinating not just on cybersecurity protection but on defensive measures and responses.
Unlike attacks from the past, cybersecurity threats also require a unique level of collaboration between the public and private sectors. Today’s technology infrastructure, from data centers to fiberoptic cables, is most often owned and operated by private companies. These represent not only much of the infrastructure that needs to be secured but the surface area where new cyberattacks typically are first spotted. For this reason, effective cyber-defense requires not just a coalition of the world’s democracies, but a coalition with leading tech companies.
People like my old Atlantic Council colleague Jason Healy have been talking about the need for public-private partnership in this area for more than a decade. But, as I’ve noted before, the tech sector is inherently wary of the US government and tends not to see it as an inherently better actor than our autocratic competitors. At the governmental level, there is already considerable cooperation with our NATO allies, the EU, and the Five Eyes but I don’t claim to understand the extent or the gaps. But, rather obviously, the more cooperation there is, the more transparency that’s required and the more vulnerability that is created.
Smith closes with several paragraphs calling for specific actions that the incoming administration should take. Critiquing it is well beyond my expertise. But, rather obviously, the offense is ahead of the defense again in the cyber realm. And what we’ve done so far to punish Russia, China, North Korea and other malign actors has been inadequate to deter them.