Font Size: A A A

Home > News > Case Studies > US acts on SolarWinds breach

Case Studies

US acts on SolarWinds breach

In the United States, the Department of State is expelling ten officials from Russia’s diplomatic mission in Washington, DC. as part of what the US State Department terms ‘actions to hold the Russian Government to account for the SolarWinds intrusion, reports of bounties on US soldiers in Afghanistan, and attempts to interfere in the 2020 US elections’. In an executive order, the US government named the Russian Foreign Intelligence Service (SVR) also known as APT 29, Cozy Bear, and The Dukes, as ‘the perpetrator of the broad-scope cyber espionage campaign that exploited the SolarWinds Orion platform’ last year.

In a statement about US response – which President Joe Biden stressed was ‘proportionate’ – Secretary of State Antony Blinken said that his department ‘is taking steps to bolster cybersecurity partnerships internationally, including by providing a new training course with partners on the policy and technical aspects of publicly attributing cyber incidents and by supporting trainings on responsible state behaviour in cyberspace’.

The US National Security Agency (NSA) has laid out SVR targeting of covid-19 research facilities via WellMess malware and targeting networks through the VMware vulnerability.

For President Biden’s April 15 remarks on Russia, visit www.whitehouse.gov.

Meanwhile the US Department of the Treasury designated six Russian technology companies that provide expertise and other support to the Russian Intelligence Services’ cyber programme; tools and infrastructure and ‘facilitating malicious cyber activities’. And the Department of Defense is to include allies, including the UK, France, Denmark, and Estonia, into the planning for CYBER FLAG 21-1 exercise.

Comments

Chris Hallenbeck, Regional CISO of Americas at cyber firm Tanium, said “The announcement of sanctions and other actions in response to the SolarWinds breach and other cyber activity was not a surprise. The scale and audacity of the breach made it almost certain that it was state-sponsored, and the attribution by government intelligence, law enforcement, and cyber protection agencies points the finger squarely at one country.

“Sanctions alone are unlikely to bring brazen hacking to an end. It is up to companies and organizations to improve their cyber hygiene to make such intrusions less frequent and less impactful when they do occur.” He added that the National Security Agency released guidance outlining five vulnerabilities being exploited by who the NSA attributes as being Russian hackers. “Notably those five vulnerabilities were announced in 2018, 2019, and 2020. That means organizations are failing to address vulnerabilities that are upwards of three years old, which considerably increases the likelihood of a damaging breach occurring.”

The NSA, and the other US agencies the CISA (part of the Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency), and FBI urged all in cybersecurity to check their networks for indicators of compromise.

Quinn Wilton, senior researcher at Synopsys Software Integrity Group pointed to a worrying trend in cybersecurity of attackers using weaknesses in supply chain security; while a vendor is initially breached, the impact of that breach is felt by that vendor’s customers.

“This is a powerful position for attackers to be in, enabling them to pick and choose from a wide number of targets while offering plenty of opportunities to exploit a customer’s trust in their vendors to evade detection. Attacks like this aren’t new, but with software being more interconnected than ever, I predict we’re going to start seeing these sorts of breaches more frequently. This means that code signing is more important than ever, and that transparency around the storage and disposal of those code signing keys is going to be a vital step toward building trust in the channels we all use to distribute software.

“We need to collectively work to ensure that all organizations are given the tools and education required to validate the provenance of the software they use. The nature of these attacks means that mitigating them is going to require a concerted effort between all actors within a supply chain, and there’s still a lot of work to be done to make this sort of collaboration possible on a wide scale.”

Andy Norton, European Cyber Risk Officer at Armis said that official advice to immediately patch all vulnerable devices was necessary and useful. “However, it assumes that you know where the vulnerable devices are to begin with, and in many cases it will be the device that has been forgotten about, or purchased outside of corporate IT remit, and not in an inventory that will end up being the root cause of future security incidents.

“Across the board, there are very low levels of certainty in the attack surface that will ultimately cause harm to many organisations. In another recent fire drill, the FBI actively engaged in finding vulnerable Microsoft Exchange servers and removing malicious code from effected US entities. The head of US Cyber Command and the NSA, Gen. Paul Nakasone, openly admitted in a recent Senate hearing that visibility into US infrastructure is a known blind spot. We can expect to see more active defence measures taken by the US government to aid the US private sector.”


Tags

Related News