Richard Clarke, CEO of Good Harbor Security Management and GigNet Inc. Advisor pens a series of articles on trends and events in the world of cyber security.
Ransomware attacks by criminal groups, many of which operate out of Russia, have attracted media, Congressional, and even Presidential attention, with President Biden threatening cyber attacks in retaliation. This wave of cyber crime, how-ever, is a lesser threat when compared to the nearly silent campaign by Russian military and intelligence agencies to penetrate key corporate and govern-ment computer networks across this country.
Ransomware attacks by criminals are, however, a lesser threat when compared to the nearly silent cam-paign by Russian military and in-telligence agencies to penetrate key corporate and government com-puter networks across this country.
When the major East Coast gas pipeline was hit by ransomware, some US cyber security experts im-mediately doubted that the Russian government was the perpetrator. The Russian government, they believed, would not want a peacetime attack that proved how vulnerable the US pipeline system is. The Russian military’s hacker unit, the GRU, would want that key piece of US critical in-frastructure left as easy prey for them to attack in a cyberwar. As many cyber experts expected, it would be in the wake of a major attack, like that on Colo-nial, that the US government would introduce new regulations for privately owned and operated critical infrastructure. Indeed, minimum standards for pe-troleum pipeline cyber security were issued in the weeks following the Colonial hack. US companies complying with these new minimum standards may make it more difficult for the GRU to hack its way into the pipeline controls, but hardly impossible for well-resourced and skilled attackers. It is highly probable that the GRU has a contin-gency plan to engage in cyberwar with the US, a plan which it could execute within hours of being ordered to do so by Vladimir Putin. To be ready to respond that quickly, the GRU undoubtedly has al-ready penetrated the target networks and created “backdoors,” covert access pathways for destructive malware. Militaries have contingency plans for a variety of scenarios, most of which never materialize, but it is not unrealistic to think that the US and Russia might someday be in a crisis, or even combat, in which Moscow might want to cripple the US economy through cyber attacks. If that day ever comes, the GRU will not use ransomware attacks.
In the long list of compa-nies that have briefly be-come house-hold names because they have been vic-tims of cyber attacks from Russia, one stands out as unique: SolarWinds. The So-larWinds company was not attacked by Russian crim-inals, and it was not a victim of ransomware. It was attacked by the Russian government,1 which used techniques that were so stealthy that SolarWinds
themselves never discovered the penetration in the many months the Russians were inside their net-work. During those months, the Russian SVR altered the code for a software update that SolarWinds then sent to hundreds of companies and government agencies which were Solar- Winds customers for network management software. As soon as that software update was accepted by the Solar- Winds customers, their net-works, too, were immediately compromised.
A company in their supply chain had been used to attack them. All of those victimized companies and agencies also failed to noticed as the Russians then moved around stealing data and leaving back doors on their networks. Over nine months went by until one day a justifiably paranoid computer securi-ty company, FireEye, noticed something amiss on its network and traced the problem back to the Solar- Winds software they used. Further investigation re-vealed the Russian penetration of hundreds of net-works through SolarWinds, but it could just as easily have never been noticed. Billions of dollars worth of cybersecurity tools on the affected networks did not detect the Russians pres-ence. FireEye’s detection of the attack campaign de-pended upon one suspi-cious and diligent human. What if that human had been a little groggy that day?
Moreover, what makes us think that what the Russ-ian government did to the SolarWinds company, and its customers, was unique? The Russian military penetrated SolarWinds, pivoted to its build process, and then used Solar- Winds’ trusted status to spread Russian access among its customers. Was this successful attempt the SVR’s first? Will it be Russian state hackers’ last?
There is little reason to think that Russian state-backed actors, other persistent threat groups, and cybercriminals will not seek to leverage software providers as an attack vector in future attacks. There are hundreds, if not thousands, of software companies that regularly send out trusted up-dates to corporate and gov-ernment clients numbering the hundreds of thousands. The pivotal role of these software in the continuous operation of the US economy and government requires the development of new threat modeling techniques and cyber security practices. SolarWinds was unable to tell when the attacker en-tered its network, While many software-producing companies may be using the most effective, known techniques to detect manipulation of their products, it is unlikely that other trusted providers are more capable of repelling this kind of persistent, nation-state threat.
The recent cyber attack on Kaseya by ran-somware criminals has caused some cyber experts to infer that the software supply chain attack tech-nique has been in use for a while. There is a pattern in which cyber attack tech-niques used by a government are eventually mimicked by criminal groups. The software company Kaseya, a competitor to SolarWinds, was targeted by criminals to propagate ran-somware on its customers’ networks much the same way that the Russian government hackers used SolarWinds.
Russian hackers learning how to be more effec-tive with time is nothing new. In 1998, I convened the first meeting ever held in the White House Situa-tion Room to respond to a foreign cyber attack campaign. Some group, which I later came to believe was the Russian government, was systematical-ly penetrating US government and corporate com-puter networks, copying and exfiltrating sensitivein-formation. We gave the attack campaign a code-name: Moonlight Maze. The attacks continued for two years. After every attack we discovered, we would attempt to block the attack technique they had used. The attacker would then come back, using a better technique. That cycle continued until one day we no longer noticed them anymore. “Had we finally stopped them?” someone asked. “No, it doesn’t,” an expert from a US intelligence agency replied. “Nobody ever notices us on their networks. They’re just getting as good as we have been.”
The fact that we are not noticing the Russian government’s hackers on our crucial networks does not mean they are not there. It means they are good at what they do. They penetrate and then persist, moving about in ways that no cyber security defense product will notice. Moonlight Maze proved they could do it twenty years ago. SolarWinds proved they can still do it, despite the massive improvement in costly cyber defenses. Biden’s recent Executive Order took some steps towards improving software supply chain security, but this alone is not enough.
The US government has no systematic, public-private program to “threat hunt” in the networks of critical private sector companies. Nor does it have one, integrated effort to find penetrations of sensi-tive government networks. So, while it’s nice that the Biden Administration and Congress have taken no-tice of Russian criminal ransomware attacks, they need to understand that ransomware is not the big-gest cyber threat to the US emanating from Moscow.