IOTW: Russian Hack Deeper And Wider Than First Anticipated

Add bookmark
Seth Adler
Seth Adler
01/08/2021

2021 is a new year, but the same cyber security threats are plaguing the United States. The SolarWinds breach continues to grow.

Facts

The Orion update from SolarWinds is currently inside of thousands of public and private institutions. Some have remediated the vulnerability. However, Microsoft itself has noted in a statement that their investigation has “revealed attempted activities beyond just the presence of malicious SolarWinds code.”

U.S. officials maintain their public stance that classified and sensitive information avoided the breach, but behind closed doors, they tell another story. On January 2, The New York Times reported that officials are not exactly sure what information Russia has gleaned from the massive hack. According to the report, the worry is that the S.V.R., Russia’s foreign intelligence service, may have accessed sensitive information including but not limited to Black Start—the US government’s detailed response plan to a major power outage.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

Some cyber security experts offer words of assurance, insisting that intellectual breaches of this nature act as insurance against largescale attacks or sanctions. Most governments partake in similar information gathering tactics, the U.S. included. Still, other cyber security experts make the opposite case: that once in government systems, espionage campaigns can quickly turn into full-blown attacks.

Related: Add More Relevant Attack Detection To Your Threat Intelligence

The particular piece of malware involved in the SolarWinds breach is so sophisticated that it was able to bypass encryptions and navigate internal networks in God-mode—a term meaning hackers were able to see and use everything on the network undetected. Another consideration is the diversity of the hack, which includes energy, healthcare, and technology sectors. It is yet to be seen whether or not concerns of infrastructure attacks are an overreaction. After all, the S.V.R is the same organization responsible for the 2015 hack that temporarily shut down the power grid affecting 230,000 Ukrainians for a period of one to six hours.

Additionally, SolarWinds is being scrutinized for its lackluster security. Despite its adaptation by several cyber security and government agencies, insiders accuse SolarWinds of prioritizing cost savings over cyber security. Not to mention, SolarWinds doled out the compromised code to its clients three whole days after the attack was discovered.

After 11 years as chief executive, Kevin B. Thompson is stepping down. With Thompson at the helm, SolarWinds’ annual profit margins grew from $152 mn in 2010 to $453 mn in 2019. It seems no cost-cutting measures were spared, including cyber security. Unbeknownst to their clients, SolarWinds saved even more money setting up engineering satellites in Czech Republic, Poland, and Belarus, where Russian operatives have a notoriously stronger hold.

Despite warnings from a cyber security officer employed by SolarWinds, lax cyber security protocols continued. Ian Thornton-Trump, who quit after his recommendations were ignored, predicted a “catastrophic” eventuality. SolarWinds continues to dodge accusations of negligence, insisting they are instead a “victim of a highly-sophisticated, complex and targeted cyberattack.”

It will be months to years before the full motive and scope of the Russian hack is known. Theories range from run-of-the-mill information gathering to espionage to acts of war.

Lessons Learned

Cyber security experts believe that such a large-scale attack was possible because of the government ramp-up on cyber intelligence and resources allocated toward ensuring a secure election. Intelligence agencies successfully deterred Russian election interference—at least directly, as Russia still partook in misinformation campaigns—which may have pushed them to pursue other avenues when the government’s back was turned.

Related: Cyber Security Election Cycle Lessons Learned

It is clear new protocols, rules, and regulations must change going forward. The SolarWinds hack has turned into a game of pass-the-buck, where SolarWinds, Microsoft, and the United States government, to name three, are all being blamed for not detecting the breach earlier. If cyber intelligence has any chance at effectiveness within the U.S., corporate and government entities must enact a policy of full disclosure and collaboration. As it stands, there are still enterprises compromised by the SolarWinds attack who have yet to come forward. Such withholding of intel is like hiding evidence from a crime scene. It removes pieces of the puzzle, delaying the investigation.

The director of the United States Security Agency, General Paul Nakasone, believes the U.S. must “defend forward.” That is, hacking into enemy networks and preemptively striking against planned attacks within adversarial networks. Such a plan is well received, but in the case of the SolarWinds hack, too little too late. So, too, are the billions of dollars earmarked for such programs.

Adding to their woes, the National Security Agency has limited authority and is not allowed to enter private networks. S.V.R. used those rules against the United States, ramping up their attack campaign from private U.S. servers. That is also where they got lax, eventually leading to their discovery by FireEye, a private cyber security firm.

Mistrust in the government, insecurities about Big Brother and government overreach, and internal Capitol Hill struggles created an environment void of the permissions necessary to prevent a hack of this magnitude. 

Read More: Incident Of The Week