This brief is going to be “just the facts” about the SolarWinds debacle. At least one essay, with more in-depth analysis to follow.
SolarWinds Timeline
19 Nov 2019 Vinoth Kumar notifies SolarWinds their repository is vulnerable
Mar 2020 A highly capable APT adds a back-door to SolarWinds software
Apr 2020 SolarWinds pushes an update with the vulnerability to consumers
08 Dec 2020 FireEye discovers malicious actors have accessed their data, begins investigating
13 Dec 2020 SolarWinds announces the vulnerability in their systems
14 Dec 2020 SolarWinds files report with the SEC
16 Dec 2020 FBI, CISA, ODNI issue joint statement warning of attacks.
17 Dec 2020 CISA issues CERT alert warning of widespread vulnerability.
SolarWinds Exposes "Business Intelligence"
Enormous swaths of the US government and companies around the world have had their information exposed, but—despite serious concerns—exposed information so far seems to mostly be operational, not security-related. SolarWinds software collects “business intelligence” (BI) to help organizations operate better. BI has access to a lot of “process” information, like emails and supply chain data, but not national security secrets. Available information supports the idea that Sunburst is primarily a BI leak, since the affected organizations have enormous supply chain requirements, but do not seem to have lost national security information.
BI is still a huge problem, for different reasons. An adversary can use the same information an organization uses to improve its operations, to impair those operations. Aggregating seemingly unimportant data can reveal vital information, which is the reason businesses collect BI on themselves. We also don’t yet know what else the attackers did with their access.
The Russians are (Probably) Responsible
None of the official reports yet name Russia as a culprit, but several government leaders have named Russia as responsible. It seems likely that investigators already know who is responsible with high certainty, but have not officially announced it for strategic reasons. The Sunburst code phones home, or contacts its controller, allowing investigators to trace that contact to its source. Investigators and cybersecurity professionals probably do not want to reveal any threat mitigation efforts until the threat is fixed, and so are not releasing information at this time.
Russia is certainly capable of such attacks. Although FireEye discovered the vulnerability, there were sophisticated layers of counter-detection measures built into the code, which only a long-term adversary could or would do. Speculation has centered on Cozy Bear, the APT believed to be operated by the GRU, or Russia’s military intelligence. Cozy Bear was one of the APTs that breached the DNC email server in 2016 and is among the more capable APTs operating.
Noteworthy
How to Increase Your Security Posture with Fewer Resources by Jett
Could Universities’ Use of Surveillance Software Be Putting Students at Risk? by Sabino
How to avoid seven types of tweets and posts that can get you jailed or fired? by Lobo
The Future of Cyberconflicts by Kwiatkowski
Why the Weakest Links Matter by Caudill
Why Backups Aren’t Enough by Moiseev
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at dbenson@osiriscodex.com.
To get more insightful analysis like this in your inbox at no cost, please subscribe.
Ask a question! Raise an objection! Leave a comment!