SolarWinds and Sunburst pt. 2
BLUF: The Russian’s probably hacked SolarWinds to hurt American power development, and the hack is not equivalent to nuclear-armed overflights (or other similarly provocative actions).
Hopefully, cybersecurity professionals already have their Christmas shopping done because, with the fallout from the SolarWinds hack, there will be little time for last-minute shopping. As long as the chips keep falling in the real-world from the SolarWinds hack, I’ll keep writing to explain what is going on. In this essay, as with OSIRIS Essay 0.21.1, there will be more of a series of explanations, rather than an essay with a single argument. If you want to read a quick summary of “just the facts” that we know about the SolarWinds hack, checkout OSIRIS Brief 0.21.0.
In today’s essay, I must deviate a little from a “just the facts” approach so I can offer some meaningful explanations. I will, however, let you know when I inject my own suppositions. Based upon publicly available information, we can be reasonably certain that the Russians created Sunburst, and injected it into SolarWinds’ code. We can infer Russia’s political intentions because the SolarWinds hack was probably not a “crime of opportunity.” As bad as the SolarWinds hack is, we should temper our responses in light of what we already know.
The Russians Are Probably Responsible
Several US government officials have claimed that Russia is responsible for Sunburst, but so far none of the official documents have identified Russia. Some outlets are even identifying Cozy Bear as the responsible organization, or APT. I find the declarations from the Secretary of State compelling, and Cozy Bear or some other Russian APT are likely candidates. It is likely that in the future the US Government, or one of the other investigating organizations like FireEye or Microsoft, will publicize their data. Until investigations are complete, I’ll hedge and say Russia was probably responsible, but not because there are other better candidates.
We will know who is responsible for Sunburst because Sunburst sent information to its creators. Sunburst, the malicious code underlying the SolarWinds hack, sent information to a specific web-address for collection:
avsvmcloud[.]com. Microsoft, FireEye, and GoDaddy (yes, the one with the racy commercials) collaborated to neutralize that web address, and stop further data theft.
Because the malware is sending information somewhere, investigators will almost assuredly be able to trace where it went.
Russia currently denies responsibility for Sunburst, but those denials rely on obfuscation that is unlikely to withstand scrutiny from investigators. Pres. Trump has also leveraged public naïveté about cybersecurity to argue China was behind the hacks. China has many organizations capable of a sophisticated cyberattack, but it seems likely that (without having access to what investigators are seeing) investigators would already see some evidence of Chinese involvement.
The SolarWinds Hack is Neither Accidental Nor Intended to Create Immediate Political Effects
It is often tempting to infer an attacker’s intent from their chosen targets, and in this case, such conclusions are warranted. In many cases attack targets are simply “targets of opportunity,” that presented themselves. Many real-world terrorist attacks and criminal cyberattacks hit whatever is easiest, which means that defensive posture determines attacks more than the attacker’s intent. When using generically applicable tools like a bomb or brute force password crackers, one target is as good as another. Sunburst is not a generic tool that could be applied anywhere, so target choice implies strategic reasoning.
Finding access point to SolarWinds’ code would not have happened by accident, and writing Sunburst was too customized to be just a “drive-by” attack. OSIRIS Essay 0.21.1 explained how injecting the code might have been easy because of negligence, because apparently at one point SolarWinds password was “SolarWinds123”. Even if the weak password was the vector to inject Sunburst into SolarWinds’ code, the attackers had to be looking for a way to inject a trojan in the first place. Furthermore, Sunburst is a sophisticated and purpose-built trojan, which means that the attacker had to invest substantial limited time and resources to the attack. Consequently, it is reasonable to conclude that the attackers deliberately chose, most likely at several points, to attack SolarWinds.
The SolarWinds hack is consistent with my theory’s predictions, and I assess the SolarWinds hack was intended to shift the international balance of power in Russia’s favor. SolarWinds’ software works to improve corporate and government operations. It is possible attacking SolarWinds might yield intelligence useful in military or political situations, at least until discovered. The SolarWinds attack itself degrades the ability of all of SolarWinds customers to operate at peak capacity, even if the attack stole no useful information whatsoever. SolarWinds customers will now spend billions of dollars and thousands of hours to fix the security loophole, all while losing the efficiency gains SolarWinds’ software was supposed to provide. Hobbling American government and western companies will reduce Russia’s adversaries’ ability to oppose Russian policy internationally. If stealing valuable information were the only objective, Sunburst was a risky and costly bet which may or may not have paid off. However, if shifting the balance of power in Russia’s favor was the objective, Sunburst was guaranteed to succeed from the moment it was embedded in SolarWinds’ code.
Sunburst Is Not Like A Military Operation, Nor an Act of War
After every major attack, you can bet money talking heads of every kind will emerge arguing the attack is an act of war, but the SolarWinds hack is not—or at least should not—be treated as a casus belli. First, there is no list of “acts of war” which automatically start wars. Governments decide to go to war or not for whatever reason they want. In 1898, Spain didn’t sink the USS Maine, and the US went to war; only 17 years later, Germany did sink the RMS Lusitania (with many Americans aboard) and the US did not go to war. The US might retaliate militarily against Russia, but it would be unwise. However bad the SolarWinds hack is, and whatever bad outcomes may result, starting a war will be worse.
Sen. Romney, not normally one for histrionics, illustrates the problem with the false equivalence of war with this cyberattack by saying it was like ‘Russian bombers repeatedly flying undetected over our country’. As much as I admire Sen. Romney, he is demonstrably wrong (and not just because the archaic Tu-95 is a propeller plane.) If Russia were flying bombers over the US for months we might not know why, but we would know for certain that at any point Russia could start dropping bombs.We would not have to guess at those bombs’ destructive power or our ability to respond, either. The only indication the SolarWinds hack was even in spitting distance of that level of threat was the revelation that Sunburst had breached a nuclear agency So far it seems that the only information accessed had nothing to do with nuclear weapons, per se.1
The risks of exaggeration about cyberattacks are severe if taken to their logical conclusion. If Russian bombers were daily overhead, the correct policy response would be to alert nuclear forces, send carriers to sea, put SSBNs on station, and start nuclear-armed air patrols. The US nuclear triad is robust, and no matter how many bombs Russia drops on the US, we can retaliate, but if Russia got into the habit of slipping bombers past our defenses, they might be tempted. We should move to deter any such temptations. Thankfully, we have not gone on nuclear alert because of Sunburst, nor should we, because Sen. Romney is wrong, albeit wrong for understandable reasons.
We Need to Respond Carefully
I can’t blame Sen. Romney or even the people who call every cyberattack “Cyber Pearl Harbor,” because they are trying to get the country to take cyberattacks more seriously. As with all strategies, there is a smart way to respond, and a way that makes the situation worse. It bears remembering that even after the original Pearl Harbor, the main focus of the US war effort until after VE-Day was Europe, not Japan. Roosevelt and Churchill correctly assessed that Germany was the greater threat, and the allies devised their strategy accordingly.
As with the last essay, there are many things we do not yet know, and there will likely be new lessons we will learn, but there remain some standing principles which the SolarWinds hack reinforces. Most importantly, cybersecurity is a national security issue, and it is not always obvious whose cybersecurity is going to matter. I work for the US government, and I had never heard of SolarWinds until they got hacked. Their software is all over US government computers (although thankfully not my computer). There are many such weaknesses throughout computer systems, and filling any security holes while preventing the emergence of be vulnerabilities needs to be a priority.
This is likely to be the last essay this week, because of the holidays. Next week, I will revisit this issue, probably with substantially updated information. I will also explain why the SolarWinds hack shouldn’t draw into question the 2020 election results. I hope enough information will be publicly available to assess how personnel issues like firing Christopher Krebs and staffing at the Cybersecurity and Infrastructure Security Agency (CISA) have affected US defenses. Please subscribe to the newsletter so you don’t miss any updates.
Nuclear Command and Control (C2) operates on a completely different system from the kinds of systems SolarWinds accessed and is therefore unlikely to be vulnerable to this kind of attack.↩
David Benson is a Professor of Strategy and National Security focusing on cyberstrategy and international relations. You can reach him at email@example.com.
To get more insightful analysis like this in your inbox at no cost please subscribe.
Share this Brief with someone who might appreciate it.
Ask a question! Raise an objection! Leave a comment!