The two months since the first public disclosures of the compromise of SolarWinds, FireEye, Microsoft, and many other organizations by a high level attack group has produced a fair bit of rhetoric, doomsaying, and dark pronouncements about the state of cybersecurity in the United States and what the future may hold. But it may ultimately produce something positive, too, if the executives and lawmakers at a Senate committee hearing held Tuesday follow through on their expressed desire for better confidential incident notification between the private sector and government agencies.
The attack campaign that targeted SolarWinds and a long list of other victims began as early as March 2020, but it was only discovered and revealed many months later when internal investigators at FireEye were looking into a breach of the company’s network and traced it back to a SolarWinds server in the environment. The FireEye team eventually discovered that the attackers had stolen some of the company’s proprietary red team tools, which the company disclosed, and also discovered the Sunburst backdoor that the attackers inserted into the SolarWinds Orion DLL. FireEye’s team later detected the same Sunburst activity in a number of organizations around the world, which they notified. This all led to the Dec. 13 disclosure of the SolarWinds compromise, and the subsequent intrusions at Microsoft, several government agencies, and other private enterprises. If FireEye analysts had not noticed a strange device being registered for 2FA on an account, which eventually led to the discovery of the backdoor and the unraveling of the campaign, it might still be going on.
During a hearing of the Senate Intelligence Committee on Wednesday, executives from FireEye, Microsoft, Crowdstrike, and SolarWinds testified about the details of the campaign, and while many of those bits of information have been public for some time, it was somewhat extraordinary to see some of the more seasoned security leaders in the industry speak about the attacks in plain terms. Kevin Mandia, the CEO of FireEye and a former Air Force officer who is not prone to hyperbole or conjecture, said that the attacker’s activity was “exceptionally hard to detect”. The attackers’ biggest mistake was hitting FireEye, a firm that specializes in rooting out APT activity in enterprise networks. Once FireEye was onto them, the attackers were going to be exposed. But the seriousness of what the company’s internal team found dictated that it would be sooner rather than later.
The who was not really a mystery: a Russian-aligned group. It was the how that had Mandia and others concerned.
“We all pretty much know who it is. This has been a multi decade campaign for them. When we were compromised, we were set up to investigate this incident,” Mandia said during the hearing.
“We still didn’t know the attackers broke in. This wasn’t the first place you’d look, it was the last place. They were more concerned about operational security than mission accomplished.”
"The question really is, Where’s the next one and when are we going to find it?"
That mission was multifaceted but the main objective appears to have been good old fashioned espionage. Stealing sensitive data from any and all of the organizations they could get into. The full scope of what the group was able to steal likely will never be known, though FireEye said its red team tools had been taken and Microsoft officials said last week that some components of its Azure, Exchange, and Intune source code were taken, as well. But whatever the damage turns out to be, it likely would have been far worse had FireEye not raised the alarm when it did. Private sector companies and government agencies share information about attacks and threats through various mechanisms, including ISACs and private information exchange programs, but Microsoft President Brad Smith said during the hearing that it may be time for a formal notification to a government agency of significant intrusions.
“I think it’s the only way we’re going to protect the country. It’s the only way we’re going to protect the world,” Smith said.
The faster information about ongoing threats or attacks gets into the hands of the defenders and agencies that can disseminate it and act on it, the better it is for everyone involved. But that effort can sometimes be hampered by concerns about private information becoming public, business requirements, or other issues. But a confidential method for spreading data about threats and attacks, perhaps anonymized, could have considerable benefits.
“I like the idea of confidential threat intelligence sharing to whatever government agency has authority. Get the intelligence out there quickly if it’s confidential,” Mandia said.
As for the SolarWinds attack itself, an audacious operation that likely took months of planning and had cascading effects throughout the software supply chain, Smith said that kind of intrusion should be out of bounds for intelligence services.
“At this point we have found substantial evidence that leads to the Russian foreign intelligence service, and we have found no evidence that leads us anywhere else. There’s not a lot of suspense at this moment. It’s very very clear that this agency is very very sophisticated. That has been true for a long time. That is not new,” Smith said.
“The world relies on the patching and updating of software. We rely on it for everything. To tamper with that software update process is to tamper with what is in effect the digital equivalent of our public health service. This was an act of recklessness in my opinion. It was done in a very indiscriminate way. It was in truth an act without clear analogy or precedent.”
There have been other software supply chain attacks in the past, including the CCleaner compromise in 2017. But the SolarWinds incident has had the most far-reaching effects.
“This was a planned attack. My gut feeling is this started when someone said, Where’s the supply chain? The question really is, Where’s the next one and when are we going to find it?” Mandia said.