At a glance.
- Updates on the SVR's cyberespionage campaign.
- Does cyberespionage amount to an act of war?
- A range of US response to the SVR's cyberespionage.
- Setting expectations, post-"Solarigate."
Updates on the SVR cyberespionage campaign.
The incident as of yet has no generally agreed-upon name, with Sunburst and Supernova representing two distinct aspects of it. Some have been trying out "Solarigate" as a general name, and we'll go with that for now, provisionally.
In any case, since FireEye broke the news of its own breach two weeks ago, the situation has rapidly evolved. We saw last Friday that the US Cybersecurity and Infrastructure Security Agency (CISA) is probing alternative access vectors to SolarWinds’, with CyberScoop predicting we might be hearing more about TEARDROP and Solar Strike next. Yahoo shared that Cozy Bear performed a dress rehearsal in October of 2019 using files without backdoors, and US intelligence admitted they had no prior knowledge of the hack. The New York Times reported that intrusion detection system Einstein failed to snare the Bear, and we learned from Reuters that the password to SolarWinds's compromised software update system was once “solarwinds123.”
US Secretary of State Pompeo blamed Russia, as France 24 reported (and President Trump obfuscated) with Yahoo explaining Secretary Pompeo's take on stability as a motive for presidential distance from the hack. FireEye, Microsoft, and Volexity, organizations with privileged access to threat intel, have also declined to name and shame Russia, according to DomainTools, apparently having observed “clear differences between the current activity and legacy APT29 behaviors.” The Guardian cites Russian journalist Andrei Soldatov’s view that the breach looks like an SVR-FSB collaboration. Reuters reported that another advanced but less successful hacking group, probably also an SVR unit, was nosing around SolarWinds earlier this year.
Without blaming Moscow for Solarigate, NSA cautioned Defense personnel and Defense contractors that the breach, in conjunction with the VMware vulnerability disclosed last month, could catalyze Russian efforts to pilfer vendors’ data, according to CyberScoop. Moscow continued to insist that “Russia does not conduct offensive operations in the cyber domain.”
Reuters named additional victims like Cox, Cisco, and Arizona. Mint reported that Microsoft notified forty impacted clients, the majority of whom were US-based, though a total of seven countries are known to have been hit, including Mexico, Canada, Israel, Britain, Spain, Belgium, and the United Arab Emirates. BleepingComputer added that IT customers were most heavily targeted, with Government and NGO clients next in line. Senators asked the IRS if citizens’ data was compromised. So far, classified systems seem safe.
CNET said the threat actors weaponized a routine update, aiming it at “thousands of groups,” and we still don’t have a clear picture of what data was compromised. A cyber conflict scholar told the AP Cozy itself likely hasn’t had time to sort through its loot.
Does the SVR's cyberespionage amount to an act of war?
The US Senate Intelligence Committee Chairman called the hack “almost…an act of war,” according to the Miami Herald. Other Congressman remarked that the event “could be our modern day, cyber equivalent of Pearl Harbor,” dubbing it, as The Hill reports, “virtually a declaration of war.”
Still others have been more cautious in their linguistic choices, according to NBC News, with some referring to the incident as an “intrusion,” not an attack. By terming it an “assault,” NBC claims, the Biden Administration may be overpromising on the response it can deliver. A former Facebook cybersecurity head said we “shouldn’t pretend” Solarigate represents anything the US doesn’t routinely do, or, as other experts have remarked, wished it might do. Microsoft’s President described the breach as an “espionage-based assault,” but more serious than “traditional espionage.” Since severity and scope of damage to national interests aren’t sufficient conditions for an act of war, unless the event is revealed to be battlespace preparation for something like an infrastructure attack, “espionage” indeed seems a more fitting description.
Spying may be a universal practice among governments, but Moscow’s “spying” occasionally spills over into more destructive effects, as in the NotPetya attacks. Although CISA described Solarigate as a threat to governments and critical infrastructure, and while CyberScoop warned that Cozy Bear is known for “doubling down” as opposed to “backing down,” thus far there’s been no evidence that data were modified or destroyed, still less that there was any sign of physical disruption or destruction, so the occurrence might not constitute offensive action. That would fit Cozy Bear’s bill: the ensemble is recognized as a spying squad and hasn't been observed to manipulate or destroy data.
Nevertheless, a New York Daily News opinion suggests concealed malware controls may take the event past business as usual into the realm of war.
What might be done in response to SVR cyberespionage?
As for short-term solutions and practical remediation, FireEye, GoDaddy, and Microsoft created a “kill switch” for the backdoor, according to BleepingComputer. Microsoft also published technical details of and remedies for the hack. DomainTools recommended focusing on “own-network understanding,” not external information, while a former Homeland Security official warned in the New York Times that a complete restoration could take years.
With respect to longer-term solutions and political action, the Guardian says public sanctions and clandestine retaliation are both options, though an effective blend of the two escaped former US President Obama. KJZZ reported one law professor’s perspective that a speedy, public response is necessary. Likewise, the Senate Intelligence Committee Chairman tweeted that “America must retaliate, and not just with sanctions,” according to the Miami Herald.
The State Department has already shuttered two US consulates in Russia, but it’s possible we won’t see another public response. A White House spokesperson commented that “we’re just not going to tell our adversaries what we do to combat these things.” Data Breach Today indicated Congress might not be satisfied with covert action; both sides of the aisle are clamoring for answers, and the House has opened investigations. A Biden transition team leader said the next Administration “will reserve the right to respond at a time and in a manner of our choosing.” It would probably be appropriate for that manner to assume a cyber, rather than kinetic, form, albeit one disruptive of enemy attack capability and espionage infrastructure. (Consider, along these lines, philosopher Randall Dipert's discussion in the Journal of Military Ethics of justifications for preventive or preemptive strikes, which would seem to have particular applicability to the cyber portions of the spectrum of conflict.)
Looking ahead to the next attack, Kearney Hub stressed the importance of the Cyberspace Solarium’s recommendations, quoting Senator Sasse (Republican of Nebraska) as warning, “When the next war breaks out, we’re going to start with China already on second base.” Solarium leaders said the Government should consider a diverse set of solutions that would make the Kremlin think twice next time, according to The Hill. A bipartisan coalition urged President Trump to sign the NDAA into law, and Microsoft pitched global cyber weapon nonproliferation treaties.
An essay in Lawfare maintained that Solarigate revealed the limitations of US defend forward doctrine, and advocates that the policy be buttressed with defensive resources. (It compares vulnerable equipment and employees to “rotten” building materials.) A National Cybersecurity Certification and Labeling Authority and Bureau of Cyber Statistics could inform consumer policy, and recalibrated legal incentives could shift responsibility from laypeople to experts.
The BBC recalls how past Russian attacks have “transformed” US cybersecurity; Solarigate seems likely to continue that tradition.
Setting expectations after the SVR's Solarigate cyberespionage campaign.
We continue to hear from industry experts on the Sunburst incident. Aviad Hasnis, CTO of Cynet, wrote:
"Many Managed Service Providers (MSPs) rely on Remote Monitoring and Management (RMM) tools to service their broad set of small business clients, each with potentially hundreds of computers and users. Cybercriminals are increasingly taking advantage of these RMM tools to infiltrate MSP clients’ environments.
"MSPs can and should take multiple actions to protect against RMM attacks, including:
"Increase awareness across the organization to prevent spear phishing attacks (that use both links and attachments) from infecting endpoints with malware and ransomware, the typical entry point for RMM attacks.
"Deploy an EDR/XDR tool that will detect and prevent spear phishing, the initial access vector. EDR/XDR is also advisable to mitigate credential dumping techniques as well as to detect ransomware which will attempt to use the RMM software to infiltrate customers’ environments while also deleting any existing backups. Traditional signature-based AV provides limited protection against the techniques used by cybercriminals to compromise RMM tools.
"Multi-factor authentication (MFA) is generally optional on most RMM tools. MSPs should enable MFA across all RMM tools to make it harder for attackers to leverage compromised RMM credentials.
Audit RMM accounts to ensure all enabled users truly require access to minimize the attack surface. Pay particular attention to high-privileged RMM users as compromise of these accounts will certainly lead to damage."
And Ralph Pisani, president of Exabeam, commented:
“While proactive efforts to prevent data breaches are absolutely critical for all enterprises and government agencies, even the most heavily fortified systems (such as those at FireEye), will never be 100% secure. With the AV-TEST Institute registering more than 350,000 new malware types and potentially unwanted applications (PUA) daily, there is simply no such thing as perfect security. It’s a constant race between the security practitioners and vendors that band together and the world’s nation-state attackers and cybercriminals.
"Thus, there must be a balance within organizations’ security budgets between stopping a breach from occurring in the first place -- and post-breach detection and response for when the inevitable finally catches up to them. As a cybersecurity vendor, we know how hard it is when a breach happens – especially one perpetrated by a well-funded, state-sponsored actor, but there are tools that can help rapidly respond to these incidents.