By Felipe Ruiz | February 22, 2021
Almost exactly one month ago, I wrote a post reporting on the SolarWinds security fiasco when they received a supply chain attack apparently performed by Russians. (If by any chance you don’t know about this case, I recommend you start with that post.) It was early last year when one SolarWinds Orion software update was infected with malware, and thousands of corporate customers and several U.S. federal agencies installed it on their systems. It took nine months or so for a cybersecurity company (FireEye; among the victims) to realize that 'Russian spies' were already inside and that they were skulking around, paying attention to organizational processes and collecting private information.
Kevin Mandia, CEO of FireEye, recently explained to CBS News' 60 Minutes how everything started when a staff member noticed that something was wrong. Apparently, in the middle of their two-factor authentication process, one of the employees displayed two phones registered in his name when there usually is only one. "Suspicious, FireEye turned its gaze inward and saw intruders impersonating its employees snooping around inside their network," according to CBS. They triggered the alarms from that internal investigation, especially when they discovered that the entry point could be the popular SolarWinds Orion software.
How did the attackers experience these FireEye alarms after so long? Even more curious, how much time would it have taken for U.S. federal agencies to discover this invasion if FireEye had not detected it? These are questions for which we have no answers. It is worth recalling that the affected agencies include the U.S. departments of Treasury, Commerce, State, and Justice, as well as the National Nuclear Security Administration and even the Pentagon. A tremendous amount of a nation’s critical data is what a group of 'Russian cyber soldiers' could and possibly still can access.
"Spies," "soldiers," these are not words I’m choosing on the spur of the moment. Media such as the one I’m using as a reference in this particular case (i.e., CBS News) already make mention of a "cyber war between the United States and Russia." Since the first reports on this event, experts have spoken of a highly sophisticated and unprecedented attack. (To me, this is one of the main clues that seem to lead many to conjecture that this is a government-sponsored assault.) Apart from expressing his astonishment at what has happened, Brad Smith, president of Microsoft (another affected firm), declared that more than 1,000 Russian cyberattackers must be involved according to his company’s investigations. No doubt, by suggesting that number, he lends weight to the idea that this means war.
A Russian intelligence agency is allegedly implicated in all of this. Perhaps it is the same agency credited with developing a similar tactic against multiple systems and networks in Ukraine in 2017, using the malware known as NotPetya. (Or maybe it is another one called SVR.) The big difference was that on that occasion, GRU, this military agency, did not limit its activities to espionage but led lots of devices to self-destruction. As Brad Smith said, "It literally damaged more than 10% of that nation’s computers in a single day." Now the questions are: will this U.S.-focused SolarWinds supply chain attack transcend to involve more than espionage? What implications may arise from the collection of mostly political and military data by the Russians? 'Nobody' knows.
Jon Miller, Founder and CEO of Boldend, referred to this case as a "watershed style attack" with which Russia has made us doubt the security of any software we use in our daily routine. For Miller, this malware deployed in a chain from SolarWinds could easily be modified by its creators to go beyond its current function and lead to the destruction of devices in networks.
Chris Inglis is a member of the U.S. Cyberspace Solarium Commission, an intergovernmental body dedicated to devising defense strategies for the country against cyberattacks. Given the current state of affairs, he is among those who assume that in order for everyone to get rid of this infection entirely, they would have to get rid of all the hardware and software involved. (That reminds me of Vaughan-Nichols’s words.) Inglis recognized that the U.S. has a significant problem with the absence of a common defense line for private enterprise and government. And he suggested a greater collaboration between these parties for the identification and treatment of cyber threats.
In the meantime, this incident is still ongoing, with new breached companies joining the victims. In line with what Miller said, this is one case where you discover the surreptitious attack, but even so, it doesn’t stop. Perhaps it is so because the U.S. is not completely sure who the attackers are. However, Miller believes that the government will succeed in identifying them, but still, as on other occasions, will not arrest them and will only deny them entrance to the U.S. For him, the nation needs to define limits that force it to respond with attacks if its rivals overstep them. It seems that the United States has no offensive action, does not intimidate, and therefore receives and receives attacks in cyberspace.
James A. Lewis, Director at the Center for Strategic and International Studies, expects the Biden administration to bring with it an offensive strategy in which the U.S. finally responds to countries such as Russia and China. While accepting it as risky with the possibility of generating a major conflict, he acknowledged it as a priority to begin experimenting with cyberattacks against the Russians. Lewis even listed trying to interfere with their media and financial activities as alternatives. "The goal is to make them afraid," he said. It would be an essential step —following Lewis— to get the U.S. out of the current mess and to avoid further complications of this nature.
I’d like to know what Russians think when they read such suggestions in the media. Where might a United States counterattack lead us? How would the Russians react? Could a cyberwar consolidate as the bedrock of a new catastrophic human confrontation with destructive weapons? Am I going overboard with my inquiries?
What do you think? Is it time for the U.S. to strike back?
Corporate member of The OWASP Foundation