Washington (Brussels Morning) The United States was hit with a massive data-breach just before Christmas and US President-elect Joe Biden is on record of having warned Russia of massive “in-kind” retaliation.
What has been less widely reported is the damage the same attack inflicted in Europe, presumably because the full impact has yet to be assessed.
The initial revelation came from the private sector, specifically from the Texas-based company that developed the SolarWinds software. US Secretary of State, Mike Pompeo, confirmed that Russia was irrefutably the source of the cyberattack. The Kremlin has denied any involvement.
US President Donald Trump took to Twitter to downplay the significance of the event, saying it had been overblown by “mainstream media,” while offering reassurances that the situation was “well under control.”
To date, US officials are offering little by way of comment on the substance of the breach or the kind of retaliation that is under consideration. What has been confirmed is that several US Departments – Treasury, Defense, State Department, and the National Institute of Health – were hacked. But the attack did not stop there: a number of corporate entities were also targeted.
To discuss the significance of the incident, Ambassador Tedo Japaridze talks to Paul Joyal, who supervised the introduction of the first computer system into the United States Senate Select Committee on Intelligence (SSCI) in the 1980s, during the Reagan Administration. This was before the introduction of the Personal Computer (PC). Since then, Joyal has worked for the FBI’s InfraGard organization and is a foremost expert on Russian Intelligence cyber espionage.
Ambassador Tedo Japaridze (TJ). Why was this specific incident so alarming?
Paul Joyal. Before I respond, let me outline the excellent work of the FireEye investigators that lead me to this conclusion. Immediately upon discovering the malware intrusion, investigators zeroed in on a vulnerability in a product made by one of its software providers, the Texas-based SolarWinds Corp.
They examined 50,000 lines of source code and found the backdoor within SolarWinds software and immediately notified the FBI. Later, as a good corporate citizen and a leader in the cyber field, they released the attack signatures to detect this threat actor and supply chain attack in the wild. While the hack on FireEye was embarrassing for a cybersecurity firm, it may prove to be a crucial mistake for the hackers. “If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm, said. “One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.”
This puts in perspective why I became extremely concerned after reviewing the available information on the FireEye hack. Information indicated that the attacker exfiltrated FireEye’s offensive hacking tool set used for testing client defences. Furthermore, FireEye discovered that the compromise of their defences occurred in a supply chain attack trojanizing SolarWinds Orion business software updates to distribute malware called SUNBURST. This is what frightened me, since it was not a Zero Day attack that hackers could use by going from one target to the next. This attack used a software update to deliver the malicious payload from what was thought to be a trusted provider in their software food chain. This was a devastating admission.
What followed was even more hair raising. The attackers had been in their system since Spring and that suggests potentially thousands of firms and public institutions had been infected since. The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity.
This further indicates a nation state actor of the first order and I immediately suspected the Russian Foreign Intelligence (SVR) as the most likely attacker for two reasons. The SVR is primarily involved in intelligence collection and espionage, including cyber espionage. They are by far the most stealthy, patient, and silent. If this detection is thought to have begun in Spring 2020, I suspected they compromised the system in the Fall-Winter of 2019 and used their time to conduct a detailed reconnaissance to identify the targets of collection.
Before they would activate the software and steal the data, they would first accomplish two additional important steps. First to erase their activities as much as possible and install additional and non-related back doors to provide continued access for return after the updated software was corrected and the system purged of its original paths of access and egress.
TJ. So, what is the damage?
PJ. The SolarWinds cyber hack is a devastating blow to the defensive investments and systems of both the public and private companies which were part of its 18,000-customer base globally. SolarWinds acknowledged that this applied to all in their installed base who uploaded the software. This indicated that the compromise would extend both to the US Government and large valuable companies as well. It would have global ramifications and be extremely costly to remedy.
FireEye’s investigation revealed that the hack in itself was part of a global campaign by a highly sophisticated attacker that also targeted “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” according to a company blog post Sunday night. “We anticipate there are additional victims in other countries and verticals.”
Many US Government agencies have acknowledged compromises including but not limited to the Department of Commerce in one of its bureaus, and Reuters has reported that the Department of Homeland Security and the Treasury Department were also attacked in the Russian hacking spree. The damage continues to be identified from the State Department to the Department of Defense and the investigation continues. Particularly disturbing is a new report that the Energy Department and National Nuclear Security Administration, which maintains the US nuclear weapons stockpile, found out that hackers accessed their networks as part of an extensive espionage operation that has affected at least half a dozen federal agencies.
TJ. Would you define this as an act of war?
PJ. I do not. It is classic espionage and no destruction of data or systems has been reported. Therefore, I think it does not reach that level and the Russian have been careful not to cross that line. They realize that if they did, we would retaliate in ways that would be most unpleasant for them. This is straight cyber espionage as far as I can see but our time is better spend conducting a thorough review and addressing the known deficiencies that led to this debacle.
TJ. What are these deficiencies?
PJ. The Russian Intelligence cyber capabilities are extremely good.
They are creative at identifying weaknesses for attack. They do their research, including target country investments and studies. I fear one of the reports they may have read was a 2018 GAO report, December 2018, United States Government Accountability Office, Report to Congressional Committees concerning INFORMATION SECURITY: “Agencies Need to Improve Implementation of Federal Approach to Securing Systems and Protecting against Intrusions”.
The report pointed out that the DARPA-developed Einstein system was based on identifying known malware and IP signatures to protect the gates of government computer networks from hostile intrusion attempts. It could not identify unknown malware! It was an unknown and novel set of malicious codes not previously identified. Additionally, Einstein won’t be able to detect when data is being transmitted to a secret user outside the network until 2022.
The Russians just took advantage of the holes that were not addressed and plugged during the Trump years. Just plain and simple and now up to 300,000 SolarWind clients are potentially at risk around the world.
