OSIRIS Brief 0.25.0

SolarWinds is a Russian Strategic operation; COVID-19 hacking includes misinformation.

Download the Brief as a PDF

More Evidence SolarWinds Was a Targeted Russian Attack

CrowdStrike has released a report explaining how the SolarWinds attack unfolded and offering additional evidence the attack was not random. The threat actor had access to the source code repository for several months and deployed SUNBURST during that time. SUNBURST was just the first step in the attack. The attackers later followed up the initial attack with the Teardrop malware, only attacking specific victims. The two-step process implies that the attacker decided which targets to attack twice.

Russian cybersecurity company Kaspersky has identified Russian APT Cozy Bear as most likely responsible for the SolarWinds hack. CozyBear is associated with the GRU, a military intelligence organization, and has been involved in several high profile attacks in the past. Kaspersky is bravely taking a risk by fingering a Russian organization as responsible, especially since CrowdStrike has not yet identified a likely culprit.

A new website, SolarLeaks(.)com, claims to leak information for SolarWinds victims and also offers some evidence that Russia is responsible for the SolarWinds attacks. The website was identified within twenty-four hours of being set up and was established using the NJALLA registry. NJALLA is a registry commonly used by Cozy Bear and Fancy Bear.

Hackers Leak Corrupted COVID-19 Vaccine Info

Hackers released data stolen from the European Medical Agency about Pfizer and BioNTech’s COVID-19 vaccine. The information had been altered apparently as part of a disinformation campaign. COVID-19 vaccine developers have been a target since the spring, hackers have stepped up attacks in the past months.

No documents identify who was responsible for the attacks on the EMA, but Russia, China, and North Korea are likely suspects. All three governments possess ample capability. Russian and North Korean attacks on COVID-19 vaccine research are well documented. Releasing information, especially misinformation, is a different modus operandi than seen so far. China might have conducted the attack and leak to draw attention away from the revelation that the Chinese Sinova was found barely effective enough to use in Brazil.

Parler's Woes Continue

After Amazon, Google, and Apple essentially killed Parler, several people began scraping Parler information for archiving. While billed as a hack in some outlets, at least in one instance the person responsible claims to only have collected publicly available information. Parler lost identity verification support from Okla, making it easy to set up multiple accounts.

Archiving Parler’s data is likely an “edge case” for legality and hacktivism, that will serve to clarify where boundaries and ethics lie. There is potentially a public interest in having Parler’s content archived, but third parties collecting information could constitute end-runs by law-enforcement around constitutional protections. If the archivists accurately represent their information collection as scraping, at worst they may have violated terms of service and should not face criminal charges. If some groups breached Parler’s security, even with good intentions, they should be subject to legal sanctions.


David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at dbenson@osiriscodex.com.

To get more insightful analysis like this in your inbox at no cost please subscribe.

Share this Brief with someone who might appreciate it.

Share The OSIRIS Codex

Ask a question! Raise an objection! Leave a comment!

Leave a comment