It has long been theorized among cybersecurity and military professionals that they next major war between world powers may not involve the firing of a single kinetic weapon. The SolarWinds Orion hack may just be the first known attack to rise to this level.
As of this writing, all indications seem to be pointing to a unit of the Russian SVR, the equivalent of the US CIA, as the actor behind this hack. However, I can’t state this too strongly, it is still very early in the analysis and this assessment may change. For now, it does appear that this is a cyberattack backed by the Russian government against the United States and other Western nations. If this is true, this could be classified as an act of war and when and how the U.S. responds will have profound implications for the world.
For now, the U.S. response is quite muted. I might say troublingly so. Based on what is now known, this event would seem to demand the strongest of public reprimands and even stronger words in private. It should be made clear that the US will respond at the time and manner of its choosing once the proof clearly identifies the attackers. I am advocating for a strong and proportional response designed to deter a future cyberattack of this magnitude. We have an opportunity to establish the parameters of what is acceptable cyber-espionage and what rises to cyber-warfare and implement deterrents to maintain peace and global security.
Assessing the Damage to Pinpoint What Happened, and How
As I implied at the outset, what we do not yet know may vastly outweigh what we know now. I have participated in numerous briefings and read countless reports and articles over the last week. What seems to be verified at this point is that the hackers infiltrated the servers used by SolarWinds to compile, verify, digitally sign, and distribute updates for the SolarWinds Orion platform. The hackers inserted malicious code into what appeared to be a normal update to the SolarWinds Orion platform. That update is estimated to have been downloaded by as many as 300,000 customers using the platform. Of those, it appears that approximately 18,000 customers show signs of the active exploit associated with the malware.
The primary targets of the attackers appear to be major private corporations, numerous U.S. government agencies and several prominent academic institutions as well as some foreign private and public entities. Information is still emerging, so this may change over the coming days and weeks. The triangulation of this attack is a significant concern as it would reveal a very damaging intent.
Right now, it is not known if the hackers were simply infiltrating and watching or actively exfiltrating data and if so, what data may have been stolen. It’s unclear just how wide the lateral movement of the hackers has been. It is widely theorized that we don’t have any real idea of just how deep these infiltrations have been and what the hackers may have been doing over the last nine months. The original hack appears to have taken place in March, just as the world was completely focused on the rapid expansion of the COVID-19 pandemic. Couple the pandemic with the focus on election security and misinformation here in the U.S. and I believe we may come to understand that we do not have nearly the resources we need to defend this nation and our economy from the threat of ongoing cyberattacks.
Sharing Security Best Practices Must Become a Priority
One thing I have heard over and over is that we, both private and public organizations, must do a better job at sharing information about attacks we see in the wild. Competitive pressures have led to most organizations keeping vital information that could ward off an attack, too closely guarded. We have re-frame this and quickly. It should not be seen as a sign of weakness for any organization to share with others what they are seeing in terms of potential and actual cyber threats within their environment. This is the very reason that ISACs and ISAOs (Information Sharing and Analysis Centers and Organizations) were formed, to share critical cyber threat intelligence among critical infrastructure or communities of interest, to help everyone better defend against hackers like this.
During one of the briefings I attended last week, it was said very clearly that we cannot expect to prevent a SolarWinds Orion-type attack. When a nation-state sets its sights on perpetrating an attack like this, there is little, if anything we can do to stop the attempt. However, we can improve the sharing of threat intelligence that could have alerted others the moment an attack was noticed, even if it’s not yet understood. The sharing of information and IoCs (Indicators of Compromise) would have allowed others to search their networks for similar behavior and make it more difficult for the hackers to be successful.
If many, or most of the intended targets had been alerted to watch for something specific, it could have been more difficult for the hackers to gain a foothold and expand their presence in the attacked network. If enough initial resistance is mustered, it is likely the hackers may have pushed back from the table and re-evaluated the likelihood of their ability to be successful. We have to create better collective resistance to these attacks in order to make the attackers think twice and ultimately stand down. This can’t be done with tools and technology alone. Information sharing is critical to collective defense.
It’s Time to Answer the Wake-Up Call and Band Together
While the US government is doing all that it can to bring resources to this event and determine the true extent of the problem, the private sector has stepped in to fill a sizable void in the government response to date. FireEye first raised the alert on this attack and shared its finding publicly and privately. Microsoft stepped forward in defense of the U.S. and private enterprise and launched a counteroffensive on the hackers that some believe has neutralized the threat, but not from where the hackers have already gained a foothold. Microsoft, working with other partners and their own substantial legal and technical capabilities, took action. Microsoft’s legal team went to court and gained the court’s authorization to take away one or more domains being used by the attackers to communicate between the hacker’s command and control servers and the hacked networks. Microsoft, working with GoDaddy launched a kill switch to intercept and neutralize communication between hacked networks and the hackers.
Given that new information is coming to light almost daily, I expect that we will not understand the full extent of this attack for weeks, if not months. It’s important to stay informed and to verify your information sources. Members of the CompTIA ISAO are receiving daily updates with the latest bulletins from the Department of Homeland Security, FBI, and other relevant sources. Our threat intelligence platform continues to be updated with new IoCs and other technical details allowing you or your cybersecurity partners to search the platform and verify whether or not your networks and the networks that you manage have been infiltrated.
The extent and seriousness of this attack cannot be overstated. This is the most direct wakeup call we have seen to date that we must work together if we have any hope to prevent future attacks from being as successful as this one appears to be. I call on you to join the fight and help us all fight back against these attackers. Our global economy and security depend on it.
MJ Shoer is Senior Vice President and Executive Director of the CompTIA ISAO.