Cyberwatch Finland´s Special Bulletin
Bad News Concerning SolarWinds Supply Chain Attack Will Continue to Unfold for Quite Some Time More
On Sunday, December 13, news broke out about the largest cyber operation of recent years against the U.S. government targets by an advanced persistent threat actor, APT29, associated with Foreign Intelligence Service of Russian Federation, also known as SVR (Служба внешней разведки Российской Федерации). The original reporting shared details regarding the email systems of The U.S. Treasury Department and Commercial Department having been compromised, but as there has been more information coming out regarding the incident, the devastating size of the hack is slowly becoming revealed.
According to the sources, Russian operatives had successfully penetrated SolarWinds, an Austin, TX -based company offering their clients, among other products, also a widely used IT full stack management platform called Orion. SolarWinds’ customer base, which may also include users of other products than their Orion platform, included according to SolarWinds’ website, more than 425 of the U.S. Fortune 500 companies, all U.S. telecommunications companies, all branches of the U.S. military, National Security Agency, and The Pentagon, to name a few.
Once in, the Russian hackers proceeded to compromise a build server to have SolarWinds serve their customers a poisoned update of the Orion platform, including Russian injected malware. The distributed malware was later named SUNBURST by one of the compromised entities, FireEye. The poisoned SolarWinds Orion platform update, which opened a backdoor to the target systems for access, and possibly also for insertion of additional tools for ensuring the foothold and continued access, was downloaded by the SolarWinds’ customers more than 18,000 times.
Nevertheless, it seems that the perpetrators were highly selective with their targeting. This selective targeting sets the SolarWinds case apart from the NotPetya case associated with the GRU Sandworm team, where a destructive supply chain attack spread worldwide like a wildfire causing more than an estimated $10 billion in damages. In addition to the government targets, one of the targets was an internationally well-known cybersecurity company, FireEye, which lost to the hackers tools they had been using in their penetration testing, or red teaming, activities. This brazen targeting eventually led to the unfolding of the SolarWinds case, as FireEye investigators also detected other organizations had been targeted utilizing the same intrusion vector.
According to some estimates, Russian operatives had initially penetrated the SolarWinds systems already back in October 2019 and made a test run with their chosen method of poisoning an update, but did not yet operationalize their access. The operationalization took place according to the current understanding in March 2020, which has given Russian operatives possibly more than nine months of access to the targeted systems.
To remedy the situation, Microsoft, itself a victim of SolarWinds hack, together with other industry partners, took over or sinkholed the domain used in command and control of the infected systems. Such sinkholing was a continuation of similar operations conducted by Microsoft, where they had been crippling the perpetrators’ operations by disrupting their command and control networks.
In addition to the U.S. based companies, U.S. states, and governmental targets, such Departments of State and Homeland Security and National Nuclear Security Administration, according to Microsoft’s analysis, targets residing across the globe, spanning from Canada to the United Kingdom and Belgium, have also been infected by SolarWinds poisoned update. Similarly, organizations such as NATO have been investigating if they have been infected.
It is not far-fetched to assume that similar investigations are taking place across the world. Governments and private organizations alike are scrambling to identify, if the SolarWinds hack has impacted them, and if there have been any malicious activities in their systems because of the hack.
As the hacks had a grave national security significance, also the United States Government scrambled into action. According to the reports, the National Security Council was summoned for a meeting on Saturday, December 12, to cover the hack. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive on December 14, ordering the government organizations to disable the affected SolarWinds tool in their networks. Following CISA directive, National Security Council announced on December 15 the establishment of Cyber Unified Coordination Group (UCG) to coordinate the whole-of-government response to the incident. The USG announcement was followed by the joint statement by Federal Bureau of Investigations (FBI), CISA, and the Office of the Director of National Intelligence (ODNI) regarding their work on investigating the breach. Throughout the process, both NSA and CISA have issued advisories and alerts to share technical information with the community fighting the breaches.
There has also been information released about a second entity, which has been in the SolarWinds’ systems, but if the situation is similar to the DNC case back in 2016 when GRU and SVR were in the same systems, or something else like two competing nations both having access to SolarWinds systems, it is too early to say for sure. Moreover, linked with SolarWinds investigation, authorities have warned that the perpetrators have also been using other means than just SolarWinds associated malware to access their targets, such flaws in VMWare and bypassing of multi-factor authentication.
In addition to attribution conducted by commercial companies, Russian involvement in the SolarWinds hack has also been confirmed by the political figures in the U.S. For example, Secretary of State Mike Pompeo suggested Russia as the perpetrator in the SolarWinds case. Similar statements have been made by senators Marco Rubio (R.) and Mitt Romney (R.) and by a number of politicians from the other side of the aisle. According to the news sources, Biden transition team members have been pondering potential avenues for responding to the system penetrations, including new financial sanctions and potentially going even further. The current White House has not publicly made Kremlin accountable for the systems penetrations but has instead muddled the waters by suggesting that other players, such as China, may have been in play.
At the time of the writing, the main goal for the SolarWinds hack, and the broad access it granted for the Russian intelligence, appears to have been to secure a foothold in selected systems for intelligence collection. While infuriating, and to some degree also embarrassing, the intelligence collection is a normal and, in many ways, also a necessary part of international affairs.
Nevertheless, at the same time, it is good to keep in mind that a foothold secured for intelligence collection could also be transformed into a platform for destructive operations. Intents may change as time passes, also changing the risk calculus of the victim. Thus, careful target analysis and the nature of targeted systems may reveal a lot of information about the perpetrators’ intents. According to some, there have also been signs of critical infrastructure companies being affected by SolarWinds, but not necessarily been penetrated after the original infection.
As more information is being revealed about the SolarWinds hack, there is a growing discussion in the expert community on potential impacts and additional motivations behind the hack. Other than intelligence collection, the listed motivations have included Russia building a deterrent against the U.S. cyber-attacks against targets in Russia, or Russian interests elsewhere. Moreover, it has been speculated that a foothold in the U.S. systems would have served as a bargaining chip, should the elections meddling prevention related activities by the U.S. authorities against Russian actors have become too painful to bear.
While some public outrage and follow-up actions are necessary for the optics and political purposes, it is improbable that outside of limited response such as sanctions, there will be any significant public retribution against Russia or their interests, in cyber or in other domains. Most of the response related actions will be concentrated on learning more about the Russian intents, their available resources for human operated missions, target prioritization processes, and their overall tradecraft. Furthermore, the focus is also put on the global breadth of the hack, what information got stolen during the time Russian operatives had access to the systems, trying to rid the systems from any remaining unauthorized parties, and learning how to defend better against similar attacks in future.
While the former U.S. government officials are trying to grasp the SolarWinds case’s full ramifications, Kremlin has denied having anything to do with the hacks. Nevertheless, on December 20, Putin congratulated his security services for the work well-done on a national day of celebration for the members of the country’s security services while standing in front of SVR headquarters. Meanwhile, the market reaction to the SolarWinds case was swift and painful. SolarWinds’ stock is at the time of the writing trading around $16 price per share, one third less than just one month ago.
We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI