Archives for December 2020

Bad News Concerning SolarWinds Supply Chain

Cyberwatch Finland´s Special Bulletin

Bad News Concerning SolarWinds Supply Chain Attack Will Continue to Unfold for Quite Some Time More

On Sunday, December 13, news broke out about the largest cyber operation of recent years against the U.S. government targets by an advanced persistent threat actor, APT29, associated with Foreign Intelligence Service of Russian Federation, also known as SVR (Служба внешней разведки Российской Федерации). The original reporting shared details regarding the email systems of The U.S. Treasury Department and Commercial Department having been compromised, but as there has been more information coming out regarding the incident, the devastating size of the hack is slowly becoming revealed.

According to the sources, Russian operatives had successfully penetrated SolarWinds, an Austin, TX -based company offering their clients, among other products, also a widely used IT full stack management platform called Orion. SolarWinds’ customer base, which may also include users of other products than their Orion platform, included according to SolarWinds’ website, more than 425 of the U.S. Fortune 500 companies, all U.S. telecommunications companies, all branches of the U.S. military, National Security Agency, and The Pentagon, to name a few.

Once in, the Russian hackers proceeded to compromise a build server to have SolarWinds serve their customers a poisoned update of the Orion platform, including Russian injected malware. The distributed malware was later named SUNBURST by one of the compromised entities, FireEye. The poisoned SolarWinds Orion platform update, which opened a backdoor to the target systems for access, and possibly also for insertion of additional tools for ensuring the foothold and continued access, was downloaded by the SolarWinds’ customers more than 18,000 times.

Nevertheless, it seems that the perpetrators were highly selective with their targeting. This selective targeting sets the SolarWinds case apart from the NotPetya case associated with the GRU Sandworm team, where a destructive supply chain attack spread worldwide like a wildfire causing more than an estimated $10 billion in damages. In addition to the government targets, one of the targets was an internationally well-known cybersecurity company, FireEye, which lost to the hackers tools they had been using in their penetration testing, or red teaming, activities. This brazen targeting eventually led to the unfolding of the SolarWinds case, as FireEye investigators also detected other organizations had been targeted utilizing the same intrusion vector.

According to some estimates, Russian operatives had initially penetrated the SolarWinds systems already back in October 2019 and made a test run with their chosen method of poisoning an update, but did not yet operationalize their access. The operationalization took place according to the current understanding in March 2020, which has given Russian operatives possibly more than nine months of access to the targeted systems.

To remedy the situation, Microsoft, itself a victim of SolarWinds hack, together with other industry partners, took over or sinkholed the domain used in command and control of the infected systems. Such sinkholing was a continuation of similar operations conducted by Microsoft, where they had been crippling the perpetrators’ operations by disrupting their command and control networks.

In addition to the U.S. based companies, U.S. states, and governmental targets, such Departments of State and Homeland Security and National Nuclear Security Administration, according to Microsoft’s analysis, targets residing across the globe, spanning from Canada to the United Kingdom and Belgium, have also been infected by SolarWinds poisoned update. Similarly, organizations such as NATO have been investigating if they have been infected.

It is not far-fetched to assume that similar investigations are taking place across the world. Governments and private organizations alike are scrambling to identify, if the SolarWinds hack has impacted them, and if there have been any malicious activities in their systems because of the hack.

As the hacks had a grave national security significance, also the United States Government scrambled into action. According to the reports, the National Security Council was summoned for a meeting on Saturday, December 12, to cover the hack. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive on December 14, ordering the government organizations to disable the affected SolarWinds tool in their networks. Following CISA directive, National Security Council announced on December 15 the establishment of Cyber Unified Coordination Group (UCG) to coordinate the whole-of-government response to the incident. The USG announcement was followed by the joint statement by Federal Bureau of Investigations (FBI), CISA, and the Office of the Director of National Intelligence (ODNI) regarding their work on investigating the breach. Throughout the process, both NSA and CISA have issued advisories and alerts to share technical information with the community fighting the breaches.

There has also been information released about a second entity, which has been in the SolarWinds’ systems, but if the situation is similar to the DNC case back in 2016 when GRU and SVR were in the same systems, or something else like two competing nations both having access to SolarWinds systems, it is too early to say for sure. Moreover, linked with SolarWinds investigation, authorities have warned that the perpetrators have also been using other means than just SolarWinds associated malware to access their targets, such flaws in VMWare and bypassing of multi-factor authentication.

In addition to attribution conducted by commercial companies, Russian involvement in the SolarWinds hack has also been confirmed by the political figures in the U.S. For example, Secretary of State Mike Pompeo suggested Russia as the perpetrator in the SolarWinds case. Similar statements have been made by senators Marco Rubio (R.) and Mitt Romney (R.) and by a number of politicians from the other side of the aisle. According to the news sources, Biden transition team members have been pondering potential avenues for responding to the system penetrations, including new financial sanctions and potentially going even further. The current White House has not publicly made Kremlin accountable for the systems penetrations but has instead muddled the waters by suggesting that other players, such as China, may have been in play.

At the time of the writing, the main goal for the SolarWinds hack, and the broad access it granted for the Russian intelligence, appears to have been to secure a foothold in selected systems for intelligence collection. While infuriating, and to some degree also embarrassing, the intelligence collection is a normal and, in many ways, also a necessary part of international affairs.

Nevertheless, at the same time, it is good to keep in mind that a foothold secured for intelligence collection could also be transformed into a platform for destructive operations. Intents may change as time passes, also changing the risk calculus of the victim. Thus, careful target analysis and the nature of targeted systems may reveal a lot of information about the perpetrators’ intents. According to some, there have also been signs of critical infrastructure companies being affected by SolarWinds, but not necessarily been penetrated after the original infection.

As more information is being revealed about the SolarWinds hack, there is a growing discussion in the expert community on potential impacts and additional motivations behind the hack. Other than intelligence collection, the listed motivations have included Russia building a deterrent against the U.S. cyber-attacks against targets in Russia, or Russian interests elsewhere. Moreover, it has been speculated that a foothold in the U.S. systems would have served as a bargaining chip, should the elections meddling prevention related activities by the U.S. authorities against Russian actors have become too painful to bear.

While some public outrage and follow-up actions are necessary for the optics and political purposes, it is improbable that outside of limited response such as sanctions, there will be any significant public retribution against Russia or their interests, in cyber or in other domains. Most of the response related actions will be concentrated on learning more about the Russian intents, their available resources for human operated missions, target prioritization processes, and their overall tradecraft. Furthermore, the focus is also put on the global breadth of the hack, what information got stolen during the time Russian operatives had access to the systems, trying to rid the systems from any remaining unauthorized parties, and learning how to defend better against similar attacks in future.

While the former U.S. government officials are trying to grasp the SolarWinds case’s full ramifications, Kremlin has denied having anything to do with the hacks. Nevertheless, on December 20, Putin congratulated his security services for the work well-done on a national day of celebration for the members of the country’s security services while standing in front of SVR headquarters. Meanwhile, the market reaction to the SolarWinds case was swift and painful. SolarWinds’ stock is at the time of the writing trading around $16 price per share, one third less than just one month ago.

We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI

Merry Christmas and Happy New Year!

This holiday season, we at Cyberwatch Finland pause and take advantage of the season to express our gratitude and appreciation to you for doing business and working together with us. Wishing you a year full of happiness and success.

Warmest thoughts and best wishes for a Merry Christmas and a Happy New Year!

Aapo, Jukka, Kim, Kirsi ja Pertti

Loss of Privacy in the Digital Era – Trust is the Future Capital for Organisations

How data transparency and cybersecurity can help to achieve a competitive edge.

Text: Linnea Sinkkilä

While the value of data is rising, the loss of privacy in the digital era is becoming a reality. For individuals, this does not necessarily mean an Orwellian dystopia is about to take place – on the contrary, in exchange of personal data we can ease the daily life by letting smart technology take care of our needs. But giving up personal data requires trust: consumers need to be able to trust organisations to handle their data ethically and keep it safe from hackers, and other cyber threats – but also from the more obscure purposes organisations themselves might have.

Data is the currency of the digital age. Some organisations understood this long before others and have been able to capitalise on data, sometimes without explicit consent from the users. As the usage of personal data is becoming more regulated as the European GDPR or California Consumer Privacy Act show, demand for data is nonetheless higher than ever: with AI stepping in, organisations are looking to gather even more data to train their machine learning algorithms.

Meanwhile, people’s trust in how companies handle their data is fading – over 2/3 of Americans do not trust companies to sell personal data ethically. But the convenience of connected, smart devices still ensures that people are willing to give up personal data despite the risks associated with smart technology.


Smart technology connects us to the internet, constantly transmitting data about our behaviour, habits, tastes, and even health. As our lives are more and more entwined with smart technology, apps and online platforms, it is now close to impossible to opt-out entirely. Letting smart devices collect user data seems to be the inescapable trade-off in online interaction, even if it costs our privacy and makes us targets for personalised marketing and, more unsettlingly, to cyberattacks and identity thefts.

While most people are aware of the privacy and cybersecurity issues related to smart technology, they still carelessly engage in risky online activities such as using public Wi-Fi networks or letting webpages to their save credit card information. In fact, in a cautionary experiment done by F-Secure, it turned out that some are even ready to give up their firstborn child just to gain access to a free Wi-Fi. As this experiment shows, a careful reading of terms and conditions can be too much of a hassle, especially when we are constantly bombarded with an overwhelming amount of different licence agreements.

Even though people may personally have lax attitudes towards online security, they still expect organisations to diligently protect their user data and handle it in a safe, ethical and transparent way. But as hackers attack every 39 seconds and data-breaches are becoming more common, it is no wonder that the general population’s trust in organisations’ ability to keep their data safe is eroding.


In addition to cyberattacks, consumers worry about companies using their data for commercial purposes without consent. As data is being increasingly commoditised, some companies may see this as an opportunity to grab all consumer data they can and use it as they please, expecting people to just get over it. However, organisations with such arrogant attitudes towards personal data may soon discover the short-sighted nature of this strategy: once lost, the trust may never be gained back.

It is no longer just data, then, that should be seen as an economic asset. If organisations fail to take necessary action to ensure cybersecurity and invest in privacy policies, they may experience significant financial losses in addition to losing reputation – ultimately, this may even kill a company.

While the issue of privacy has become more central than ever, organisations are just beginning to realise that trust and transparency will be the critical factors in gaining consumers’ confidence in the future. Organisations that allow people to have more control over their data, are transparent about its use and their data protection measures and, most importantly, give fair value in exchange for it, will likely gain a competitive edge.

Therefore, getting ahead in the internet privacy and security game is imperative to any organisation willing to make their business thrive in the digital era.


Smart devices continuously collect and transmit masses of user data, creating vast databases for organisations to dig in. Development of artificial intelligence is likely to accelerate this trend even further and raise the analysis of personal data to a whole new level.

In the future, as technology becomes more ubiquitous with cameras and monitors embedded in the built environment, giving consent to the usage of personal data becomes next to impossible.

This development could also lead to an increasing amount of cyber hazards, eventually leaving people helpless in efforts to protect their privacy. But as governments and legislators are stepping in to ensure data privacy and security, they are also stepping on the toes of organisations deploying machine learning algorithms that rely on consumer data.

Finding a solution to the loss of privacy in the digital era that works for all parties is not an easy task, then. But changing the way consumers and organisations perceive privacy could alleviate the discords around privacy in the future: instead of regarding data as a commodity, it should be seen as information that, when given a chance to flow freely, can bring significant benefits for organisations, consumers and the whole society in general.

Similarly, re-thinking privacy and data security as a product to be offered for customers could help in building a holistic, transparent approach to data protection within organisations and thus win back consumers’ trust.


To write this article, Futures Platform’s futurists have collected the data from different phenomena and studied linkages between them. Here are the three colliding phenomena that are shaping the future of data privacy.  

Rising Value of Data

Data has become the new strategic raw material for the world economy. As the amount of data on the Internet will increase exponentially in the coming decades, we are moving into a data economy, which will open doors to success for completely new kinds of players. A key driver of this development is the rapid increase in the number of devices connected to the Internet and especially the emerging Internet of Things (IoT).  

Right to Privacy

People carry an increasing number of mobile devices that are always connected to Internet services as well as other devices in their vicinity. This enables continuous surveillance and monitoring, as well as accurate profiling. Piece by piece, this development eats away our right to privacy. With the Internet of Things (IoT) and 5G increasingly connecting more devices, the notion of privacy may be further transformed in the future. People may be increasingly willing to exchange privacy for the convenience offered by smart homes and devices.  

AI Machine Learning

Machine learning uses complex algorithms to analyse large data sets to produce probabilities and likeness between variables. It predicts outcomes based on past occurrences, pattern recognition, and statistics. Machine learning benefits primarily large companies or entities such as nation-states, who possess large data sets, and have the resources to analyse them. Usage of these data sets also raises questions about privacy, especially if the machine learning code will be released as open-source, and the data that exists in the public domain can be easily cross-referenced

This article was originally published on the Future Proof blog by Futures Platform

We’re on social media and we’d love you to give us a follow! You can catch us on LinkedIn and Twitter by using hashtags #cyberwatchFI #CyberCatchFI