ArchiveOODA Original

Russian Espionage Campaign: SolarWinds

The SolarWinds hacks have been described in every media outlet and new source, making this campaign perhaps the most widely reported cyber incident to date. This report provides context on this incident, including the “so-what” of the situation and actionable insights into what likely comes next.

Background:

SolarWinds is an IT management and software development company that created the Orion platform, a tool used by 400 of the Fortune 500 companies and several U.S. federal agencies. Orion advertises simplified IT management and aids users across several key categories, including storage performance, IP address tracking and management, network traffic analysis, and automated patch management to monitor IT health. SolarWinds’s Orion software boasts 33,000 customers alone, and it is estimated that 18,000 have been impacted by the breach. Following research and notification from FireEye, SolarWinds acknowledged on December 13th that Russian hackers were able to insert malware into the March update undetected.

Why Is This Significant?

Bob Gourley of OODA has tracked major cyber espionage incidents since the first real APT, Moonlight Maze in 1998. He has called this incident “the largest cyber espionage event in history, providing a gold mine of loot to the Russian intelligence services.” This scope makes it significant. It is also significant because it went on for so long undetected, even after the US government has spent so much time, energy and treasure building up defensive mechanisms. This costly cyber attack for espionage purposes will motivate change.

What Happened:

Sophisticated Russian government hackers breached Orion by inserting malicious code into an update issued in March of this year. When organizations implemented the update, they were subjected to a secret backdoor created by Russian hackers, who were then able to compromise systems and at the very least, read all email correspondence.

FireEye, a government contractor tasked with providing hardware and software to detect and prevent cyberattacks was the first to announce that they had been breached by Russian hackers. Although the company did not explicitly state that Orion was to blame for the intrusion, they also published a detailed report on the SolarWinds hack and were the first to suggest that Orion was to blame for the intrusions. FireEye also alleged that the initial breach occurred in early March. FireEye has since confirmed that their own attack that occurred on December 8th was a result of the malware insertion into the Orion update to Krebs on Security.

On December 13th, the U.S.Treasury and Commerce departments also announced that their systems had been compromised by the SolarWinds espionage campaign, stating that their email communications had been vulnerable to a third-party group, the Russian government hackers.

On December 14th, the Department of Homeland Security declared that they were also victims of the SolarWinds hack. The same day, the DHS’s Cybersecurity and Infrastructure Security Agency released an emergency directive ordering all federal agencies to disconnect all affected Orion products from their servers to mitigate any further risks. Other impacted agencies include the US Postal Service, the Agricultural Department, and the National Institutes of Health.

The hack has nearly every federal agency and thousands of U.S. organizations on high alert, with new information disclosed every day. The Russian espionage campaign has been compared to the Chinese hack on the U.S. Office of Personnel Management when sophisticated hackers breached the agency and stole the records of four million individuals. This is the most high-profile espionage activity witnessed since 2015, and given Gourley’s opinion above may in fact be the most significant espionage driven cyber incident in history.

The Nation Will Likely Respond:

However harmful espionage is, it is traditionally not seen as an act of war. Additionally, it can be very hard to prosecute under international law since participants have sovereign immunity. That said, a wide range of actions are available and some will be taken in response. In our view these actions should include accelerating defensive actions outlined in the Cyberspace Solarium report, including reforming the government’s structure and organization for cyberspace, strengthening norms and non-military tools, and promoting national resilience. An executive summary of the report can be found here.

The recent intrusion makes it very clear that the U.S. is far behind our adversaries in terms of counterintelligence capabilities. It also highlights the downfalls of our current cybersecurity intelligence issues, such as being able to determine the intentions of our adversaries. The most telling aspect of the espionage campaign was that it dates back to March, and it has been almost eight months since the initial breach on SolarWinds. The US is clearly failing to penetrate hostile intelligence services such as Russia with its own cyber espionage, such as the use of human (HUMINT) and signals (SIGINT) intelligence. So enhancing our intelligence collection is a very likely outcome of this incident.

The most clear route of defensive action is also outlined in the Cyberspace Solarium report, to operationalize cybersecurity collaboration with the private sector. This would require an increase in communication between the government and software producers to monitor and improve upon the ways these organizations write, manage, protect, and sign their code. The SolarWinds hack, like many others, has proved that sophisticated foreign adversaries such as the Russian GRU and SVR, as well as the Chinese Ministry of State Security can attack code before it is signed and shipped to be implemented in some of the most sensitive systems in the U.S.

As noted by OODA CEO Matt Devost who has over 25 years of direct cybersecurity experience “it remains to be seen if there are additional downstream impacts of this attack. The adversary has developed a nested supply chain attack in which the SolarWinds exploit might have compromised other entities that are widely used by organizations – e.g. exploit SolarWinds to exploit Microsoft to exploit some Defense Industrial Base application.”

What Comes Next?

Many critical cybersecurity lessons can be derived from this espionage campaign, and although not all the information has come to light it is important to both recognize the severity of the hacks and design a stronger cyber defense platform moving forward. All organizations using the Orion platform should maintain a level of high alert. Over the longer term, organizations should also engage in macro-level threat modeling to determine how attackers might leverage supply chain attacks against them as well as actively engage in red teaming to determine their ability to detect lateral movement after a successful attack.

Staying aware of this dynamic threat is also key.

Additional reading material can be found here:

Krebs on Security: SolarWinds Hack Could Affect 18K Customers

NPR: What We Know About Russia’s Latest Alleged Hack Of The U.S. Government

FireEye: Details of Recent Cyber Attack, Actions to Protect Community

Cybersecurity and Infrastructure Security Agency: Emergency Directive to Mitigate the Compromise of SolarWinds Orion Network Management Products

Cyberspace Solarium Commission: An Executive’s Guide

 

Madeleine Devost

Madeleine Devost

Madeleine Devost is a student at the University of Virginia where she is pursuing a double major in Foreign Affairs and Arabic language, with a minor in French. Madeleine has experience working in cybersecurity and open source investigations for a DC area cybersecurity firm and is a regular attendee at the Def Con hacker conference in Las Vegas. Madeleine has previously studied abroad in Greece and is planning to study Arabic in Morocco in the summer of 2020.