Friday, April 16, 2021

My Counterterrorism Magazine Piece On SolarWinds, The Largest And Most Sophisticated Cyber Attack Ever

Counterterrorism magazine published my piece on the SolarWinds hack, which has been called the largest and most sophisticated cyber attack ever. 

You can read the pages below (and click to enlarge) and/or the text below:   

SolarWinds Hack Was the Largest and Most 

Sophisticated Attack Ever 

April 14, 2021


By Paul Davis

Back in November of 2019, Microsoft’s President Brad Smith was questioned on 60 Minutes about the SolarWinds cyber hack, which the U.S. intelligence community stated was likely committed by “an actor Russian in origin.”

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said.

On February 23rd, Florida Republican Senator Marco Rubio, the Senate Select Committee on Intelligence’s Vice Chairman, spoke at an open hearing on the SolarWinds Hack.

He thanked their witnesses from Microsoft, Fire Eye, SolarWinds and Crowd Strike, who appeared before the committee to discuss what has been called the largest cyber supply chain operation ever detected.

Rubio noted that the cyber operation involved the modification of the SolarWinds Orion platform, a widely used software product, to include a malicious backdoor that was downloaded by up to 18,000 SolarWinds customers between March and June 2020.

“Perhaps most insidious about the operation was that it hijacked the very security advice promulgated by computer security professionals to verify and apply patches as they are issued,’ Rubio said. “There are many concerning aspects to this operation that raise significant questions.”

Rubio stated that it was his understanding that if FireEye had not investigated an anomalous event within its own network in November of 2020, it was quite possible that the hack operation would be continuing unfettered even now.

“Despite the investment that we have made in cybersecurity, collectively between the government and the private sector, no one detected this activity earlier – and this actor was within SolarWinds network since at least September 2019,” Rubio said. “Put simply, how did we miss this? What are we still missing? And what do we need to do to make sure we don’t miss it again?”

Testifying before the committee, Microsoft’s Smith stated that at this stage, they’ve seen substantial evidence that points to the Russian foreign intelligence service, and they’ve not seen any evidence that leads them anywhere else.

Speaking before the U.S. Senate’s Judiciary Committee on March 2nd, FBI Director Christopher Wray spoke about a variety of issues, including the SolarWinds hack

“In 2020, nation-state and criminal cyber actors took advantage of people and networks made more vulnerable by the sudden shift of our personal and professional lives online due to the COVID-19 pandemic, targeting those searching for personal protective equipment, worried about stimulus checks, and conducting vaccine research,” Wray testified. “Throughout the last year, the FBI has seen a wider-than-ever range of cyber actors threaten Americans’ safety, security, and confidence in our digitally connected world. Cyber-criminal syndicates and nation-states keep innovating ways to compromise our networks and maximize the reach and impact of their operations, such as by selling malware as a service or by targeting vendors as a way to access scores of victims by hacking just one provider.”

Wray stated that the criminals and nation-states believe they can compromise U.S. networks, steal U.S. property, and hold U.S. critical infrastructure at risk without incurring any risk to themselves.

“In the last year alone, we have seen, and have publicly called out, China, North Korea, and Russia for using cyber operations to target U.S. COVID-19 vaccines and research,” Wray said. “We have seen the far-reaching disruptive impact a serious supply-chain compromise can have through the SolarWinds intrusions, which we believe was conducted by an Advanced Persistent Threat actor, likely Russian in origin.”

“We have seen China working to obtain controlled defense technology and developing the ability to use cyber means to complement any future real-world conflict. We have seen Iran use cyber means to try to sow divisions and undermine our elections, targeting voters before the November election and threatening election officials after.”

Wray said they have to make it harder and more painful for hackers and criminals, which is why he announced the new FBI cyber strategy last year, using the FBI’s role as the lead federal agency with law enforcement and intelligence responsibilities to not only pursue FBI actions, but to work seamlessly with the FBI’s domestic and international partners to defend their networks, attribute malicious activity, sanction bad behavior, and take the fight to adversaries overseas.

“We must impose consequences on cyber adversaries and use our collective law enforcement and intelligence capabilities to do so through joint and enabled operations sequenced for maximum impact,” Wray said. “And we must continue to work with the Department of State and other key agencies to ensure that our foreign partners are able and willing to cooperate in our efforts to bring the perpetrators of cybercrime to justice.”

But Wray, noted, the government needs the private sector to do its part as well.

“We need the private sector to come forward to warn us—and warn us quickly—when they see malicious activity. We also need the private sector to work with us when we warn them that they are being targeted. The SolarWinds example only emphasizes what I have been saying for a long time: The government cannot protect against cyber threats on its own. We need a whole-of-society approach that matches the scope of the danger. There is really no other option for defending a country where nearly all of our critical infrastructure, personal data, intellectual property, and network infrastructure sits in private hands.”


On January 5, 2021, the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint statement:  
“On behalf of President Trump, the National Security Council staff has stood up a task force construct known as the Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, to coordinate the investigation and remediation of this significant cyber incident involving federal government networks. The UCG is still working to understand the scope of the incident but has the following updates on its investigative and mitigation efforts.

This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.

The UCG believes that, of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted.

This is a serious compromise that will require a sustained and dedicated effort to remediate. Since its initial discovery, the UCG, including hardworking professionals across the United States Government, as well as our private sector partners have been working non-stop. These efforts did not let up through the holidays. The UCG will continue taking every necessary action to investigate, remediate, and share information with our partners and the American people.

As the lead agency for threat response, the FBI’s investigation is presently focused on four critical lines of effort: identifying victims, collecting evidence, analyzing the evidence to determine further attribution, and sharing results with our government and private sector partners to inform operations, the intelligence picture, and network defense.

As the lead for asset response, CISA is focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14, CISA directed the rapid disconnect or power-down of affected SolarWinds Orion products from federal networks. 

CISA also issued a technical alert providing technical details and mitigation strategies to help network defenders take immediate action. CISA will continue to share any known details as they become available.

As the lead for intelligence support and related activities, ODNI is coordinating the Intelligence Community to ensure the UCG has the most up-to-date intelligence to drive United States Government mitigation and response activities. Further, as part of its information-sharing mission, ODNI is providing situational awareness for key stakeholders and coordinating intelligence collection activities to address knowledge gaps.

Lastly, the NSA is supporting the UCG by providing intelligence, cybersecurity expertise, and actionable guidance to the UCG partners, as well as National Security Systems, Department of Defense, and Defense Industrial Base system owners. NSA’s engagement with both the UCG and industry partners is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.

The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected. Additional information, including indicators of compromise, will be made public as they become available.”


Paul Davis, a regular contributor to the Journal, writes the IACSP online Threatcon column.

No comments:

Post a Comment