SolarWinds Attack Illustrates Evolving Russian Cyber TacticsDmitri Alperovitch, Former CrowdStrike CTO, Offers an Analysis
The SolarWinds supply chain attack demonstrates that Russian intelligence services have learned from previous operations and adjusted their tactics, says Dmitri Alperovitch, the former CTO of security firm CrowdStrike, which investigated Russian interference in the 2016 election.
Federal investigators have said the supply chain attack was part of a Russian cyberespionage operation, although they have not named what agency or group may have been involved.
The Russian attack group that spearheaded the SolarWinds attack was determined to maintain long-term persistence within the networks of government agencies and private companies to gather intelligence by monitoring systems and communications, says Alperovitch, who is now executive chairman of Silverado Policy Accelerator, a nonprofit organization that addresses cybersecurity and other policy issues.
"They came up with the supply chain idea where if you can compromise critical supply chain components, like SolarWinds and others, then you can conduct an operation that is very stealthy, very difficult to detect and you can hope to stay inside of those networks for a very, very long period of time," Alperovitch said during a Thursday presentation hosted by the Center for Strategic and International Studies.
"It's common for us to think of SolarWinds in the past - we found who did it and we're moving on. … But they're basically stockpiling vulnerabilities and access methods to use in attacks for years to come. So, we're likely to see that for a long time," Alperovitch said.
The attackers installed a backdoor in an update of the SolarWinds' Orion network monitoring platform, and some 18,000 customers downloaded the Trojanized software. Then, nine government agencies and about 100 companies were targeted for follow-on attacks, federal investigators say. The multiagency investigation is continuing (see: White House Taps Neuberger to Lead SolarWinds Probe).
Federal Response to Attack
On Thursday, Gen. Paul Nakasone, the head of the U.S. Cyber Command and National Security Agency, briefed lawmakers about the attack and possible response.
"U.S. Cyber Command and NSA are both planning and informing the whole-of-government response options to the SolarWinds supply chain compromise and the adversary's associated campaign," Nakasone said. "Policymakers are considering a range of options, including costs that might be imposed by other elements of our government."
Nakasone also noted that lawmakers should consider new ways to gain greater visibility into the nation's infrastructure but not through the NSA or Cyber Command. "I'm saying that the nation needs an ability to be able to see what's going on within the United States," he said.
The White House announced earlier that it's preparing sanctions and other actions to target the attack group responsible for the SolarWinds attack (see: White House Preparing 'Executive Action' After SolarWinds Attack).
The Biden administration will likely announce its actions in the "next week or two," says James Lewis, senior vice president and director of the strategic technologies program for the Center for Strategic and International Studies, a Washington-based think tank.
Lewis said at Thursday's event that the White House needs to come up with fresh thinking about how to hold attackers and the countries that support them accountable.
"We're at a transitional moment in cyber conflict with SolarWinds. … It's not a cyber Pearl Harbor, but it should focus the debate on how we impose consequences," Lewis said.
Alperovitch believes Russia's intelligence agencies learned lessons from previous operations, including a series of attacks in 2014 and 2015 that targeted the White House, the Joint Chiefs of Staff and the State Department.
In those operations, Russian-linked attackers sent numerous phishing emails to employees within the U.S. government, which were discovered within a few weeks, the former CrowdStrike CTO says. But in the SolarWinds attack, that tactic was dropped in favor of a supply chain approach that included stealing and compromising security tokens within SolarWinds, assuming identities, maintaining persistence and eventually escalating privileges.
"The cyber operations of 2014 were essentially a failure," Alperovitch said. "So I think it's very likely that they went back to the drawing board after those operations … and thought about how to get into those networks and stay in there for years and decades and continuously steal valuable information."
Alperovitch believes the SolarWinds supply chain attack is likely the work of a group within Russia's SVR foreign intelligence service that he's dubbed "Holiday Bear."
"This group of cyber actors also learned lessons from other Russian groups," Alperovitch says. For example, the Russian Main Intelligence Directorate, also known as the GRU, compromised supply chains as part of the destructive 2017 NotPetya malware attacks (see: 6 Russians Indicted for Destructive NotPeyta Attacks ).
The SolarWinds attackers applied the same supply chain compromise techniques but in a much more stealthy manner that focused on long-term persistence rather than on disrupting networks, Alperovitch said.
"The SolarWinds operation was exceptionally done, and virtually every element of it was very carefully crafted for stealth long-term persistence," he said.