Attribution, global politics and the SolarWinds hack
Image by WikiImages from Pixabay

Attribution, global politics and the SolarWinds hack

I had initially wanted to stay away from this topic, but a friend recently asked me a question:

Chris, would appreciate your assessment of the Solar Winds “cyberattack.” Especially this: no matter how widespread the result, isn’t this really about the hack of a particular piece of software belonging to one company?

This article is a cleaned-up version of the response I posted to him on Facebook, with the caveat (as I gave him) that DFIR/digital forensics, intrusion detection and attribution are not things I’m particularly skilled in.

Who Is SolarWinds?

SolarWinds sells network monitoring and security software to 300,000 customers in both the private and public sector. Its Orion product suite gives system administrators a single place to check in on the performance of their networks and servers, check for security issues, monitor inventory and more. None of this is out of the ordinary. At a certain scale and certainly at the enterprise level, every organization needs to be able to have a high-level view of their entire infrastructure and monitor performance and security.

December’s timeline

Earlier this month, cybersecurity firm FireEye disclosed that an attack on its services had stolen some of its “red team” software. Red teams are groups that perform offensive actions – attacks – on their targets. (Blue teams are defensive in nature.) FireEye brought the attack to the attention of the NSA and attributed the cause to an issue with SolarWinds software. This attack was initially thought to be directed only at FireEye.

Over the course of the next week, the Department of Homeland Security, Department of Commerce, Treasury Department and other U.S. government organizations announced that they had been targets of the same attack. The NSA and FireEye linked the source to the same attack that had hit FireEye itself.

A complex series of events

From what we know now, the attack started in 2019. Malware was implanted into the Orion product suite. Unlike a lot of other attacks, it didn’t target a bug in Orion itself but rather in other products from Microsoft and VMWare in order to get to SolarWinds’ build system. A build system is a series of software programs that take source code written by programmers and perform a series of steps: compiling the code to an application, running automated steps, preparing it for public release and more. This is commonly known as a supply chain attack: instead of adding the malicious code or a backdoor into the source code itself, where it might have been more easily noticed, the attackers placed their malware in the published application itself.

A long history of US cyberattacks

In response to the initial question, is it one particular piece of software. Kind of. But supply chain attacks aren’t new, and neither are offensive cyber campaigns. Instead of an agent blowing up a pipeline as an act of industrial sabotage, they can release code. In at least one instance, there has been physical damage done by the US/Israeli virus called Stuxnet that attacked Iranian centrifuges at Natanz, destroying many of them.

There’s also a belief that the power outage in Venezuela at the start of the 2019 coup was a result of US offensive cyber attacks, but that hasn’t been proven.

In 2017, the NotPetya ransomware attacked the shipping industry, hospitals and other institutions across the world. It started with the breach of tax software used in Ukraine. To infect and spread, NotPetya used something called EternalBlue, an attack developed by the NSA that was part of a toolkit later stolen and leaked from the agency.

The problem of attribution and geopolitics

On to the next important question. Who did it?

Attribution is hard. You can’t just look at what networks the attackers used – they likely covered their tracks. Nor can you look at the language in the source code: the CIA’s Vault leaks showed the CIA has sophisticated tools to make their own offensive weapons appear attributable to others. DFIR (digital forensics and incident response) is a complex and difficult topic.

Russian government agencies are getting the blame for the SolarWinds attack. Did they do it? Maybe, maybe not. Fingers were first pointed at APT29, aka CozyBear. APT stands for Advanced Persistent Threat, and CozyBear is just a name given by the intelligence community to APT29. The group is speculated to have connections to the Russian SRV and possibly GRU. Trump later pointed to China, again with no proof or backup.

The problem is, no proof has been offered. FireEye and Microsoft have not confirmed any attribution. Various US government sources have said the attack was almost definitely Russian in origin, but have not provided evidence.

It’s politically convenient to blame Russia, as the Washington Post and New York Times did. It’s also too simple of an analysis to just rule them out. Pretty much every country has – and has a right to – offensive and defensive weapons, especially those under attack by the US government. We do know that the US carries out espionage and attacks against Russia already. In 2018, the Dutch security agency AIVD worked with the US to attack Russia’s SRV. This, of course, was promoted as a justified attack in Western media.

Beware the war path

Whether or not the Russian government itself was behind the attack, the context of the US attempting to contain both Russian and Chinese independence must be taken into consideration when reading non-technical analysis.