Oliver Tavakoli, CTO of Vectra AI, discusses the massive supply-chain hack’s legacy and ramifications for security professionals.
The SolarWinds hack may rank among the worst ever in terms of ambition and likely damage. But those probing the wreckage for signs of some audacious, revolutionary new cyberwar strategy are coming up disappointed. We’re seeing tried and true ordnance used against us. The twin shocks we must now assess are the unprecedented scope of the assault – and that we got hit so hard with such recognizable weaponry.
The SolarWinds hack was a “supply-chain” attack on approximately 18,000 purchasers of the company’s Orion software. Two things make it particularly bad. One, Orion clients include numerous large enterprises and U.S. government agencies. Two, Orion is an “infrastructure monitoring and management” tool. It is well-placed within target networks to reach pretty much any other asset, making it an ideal base camp for an attacker to pursue many goals.
But other factors are disturbingly familiar. This attack is attributed to a group which Mitre, the nonprofit research organization, has dubbed APT29. You may know APT29 by another name: Cozy Bear. Cozy Bear is also blamed for hacking the Democratic National Committee in 2015. It’s believed to be connected to the Russian Foreign Intelligence Service (a.k.a. SVR), which generally collects information, while the GRU, the Russian Military Intelligence Service, weaponizes it. While APT29 tends to cycle through offensive tools they use at any point in time, much of their arsenal is not new. The SolarWinds hack involved the use of Cobalt Strike BEACON for the backdoor – Cobalt Strike is a framework used by red teams for adversary-attack simulation and is well-known to all threat researchers.
Given this background, it’s worth asking how much is truly different about the SolarWinds hack, and how much is simply an escalation of known cyber-espionage techniques, and a relatively moderate one at that.
Whether a malefactor uses reverse-engineering to discover an exploitable zero-day backdoor in enterprise software or launches an attack to embed such a backdoor, as has happened with SolarWinds, the damage is calculated roughly the same way. Would we feel differently if the SolarWinds Orion platform had had a zero-day vulnerability all along? Numerous nation-states, the United States included, have scanned opponents’ zero-day susceptibilities for years.
In either case – a hypothetical zero-day flaw or this real supply-chain hack – some 18,000 organizations were left wondering how much remediation they must do to establish that some offshore adversary isn’t camping out on their network.
Either scenario is messy and expensive. No affected organization could be fully certain of finding and evicting such an adversary. And, at least in the SolarWinds case, most of the affected organizations were probably never in Cozy Bear’s crosshairs anyway.
Some truths of cyber-conflict seem eternal. We’ve been saying for at least a decade that the rules are continuously shifting, and we all suffer from the absence in this sphere of norms, conventions and “red lines.” Certainly taking out a country’s power grid via a cyberattack would be considered crossing the red line. But while we have the Geneva Conventions, the Chemical Weapons Convention and other rules for kinetic conflict, it has always been difficult to draw similar constraints around espionage or information-gathering.
But now, the stakes are higher than ever. The SolarWinds hack is no run-of-the-mill credential theft. It’s an assault on critical national infrastructure, and probably, given its success, a harbinger of sequel attacks to come.
Where does this leave us? We have to become much more formidable defenders. We need to get better defenses in place, since good posture and controls reduce available attack surfaces and help contain possible conflicts. We need to become better at detecting things which have gone awry in our environments and responding early in the attack lifecycle – while there is still a reasonable chance of minimizing damage. This will take better tools, more imaginative processes and a cadre of well-trained professionals.
The sobering thing is, this isn’t new advice. Just as the SolarWinds attacks were executed with well-understood tools, the best-known strategic remedies are familiar too. With the implications of this attack being so broad and alarming, this may be the moment government and businesses alike finally give the remedies the priority they deserve – and take the lessons of SolarWinds to heart.
Oliver Tavakoli is CTO of Vectra AI, a San Jose, Calif.-based cybersecurity company.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.