Events can escalate quickly in cyberspace. What started out as an audacious but apparently isolated breach of FireEye became, in a matter of days, one of the most impactful state-sponsored cyber-espionage campaigns ever discovered. Russia is thought by many to have been behind the attacks, which compromised multiple US government departments and numerous tech companies, NGOs, contractors and others around the world.
Microsoft president Brad Smith has described it as a “moment of reckoning” that demands a coordinated response from democratic governments around the world, working hand-in-hand with the technology industry. In the meantime, CISOs caught in the middle must find a way to mitigate risk as best they can both in their organization and across the supply chain, according to the experts that Infosecurity spoke to.
The story begins with that attack on FireEye, revealed by the firm in early December 2020. It claimed the attackers were looking for information on its government customers, although at the time said no data on them had been taken. In fact, the only assets they took were some of the tools used by FireEye’s red team operatives to test for weakness in customers’ IT environments.
Just a few days later, the vendor dropped a bombshell, revealing that this incident was part of a much bigger “top tier” nation state attack. The attack vector? Updates to a popular product (Orion) from IT management software firm SolarWinds, which enabled compromise via a backdoor Trojan known as Sunburst (Solorigate). It’s possible that the vendor was itself compromised via its Office 365 installation. This kind of supply chain attack technique shares similarities with the NotPetya campaign of 2017, which began with Trojanized versions of popular Ukrainian accounting software.
FireEye’s analysis reveals the sophisticated OpSec techniques the group used to stay hidden. It apparently relied on only a light malware footprint, focusing mainly on compromising legitimate credentials to move laterally and remotely access systems. Of the malware that was used, Sunburst hid its network traffic as the Orion Improvement Protocol in order to blend in with legitimate SolarWinds activity. It also used multiple obfuscated blocklists to identify and stop any AV tools running.
The US government appears to have been the main target of what reports are claiming was an attack coordinated by APT29 (aka Cozy Bear), which was linked to previous attacks on the Democratic National Committee in 2016 and COVID-19 vaccine data. Although it hadn’t revealed which departments were targeted at the time of writing, these are believed to have included: the Commerce Department’s National Telecommunications and Information Administration; the departments of health, state, energy and homeland security; the National Nuclear Security Administration and the Cybersecurity and Infrastructure Security Agency (CISA), as well as some US state governments.
Many of these details were subject to further change, which in itself is testament to the scale of the campaign and the lengths the actors went to stay hidden. CISA has revealed that there is evidence of additional “initial access vectors” besides the malicious Orion updates.
A Fatal Mistake
Experts are agreed that FireEye was not the primary target for this campaign, which may have given Russian attackers access to government emails and other sensitive systems since March 2020.
“Many of the stolen tools are open source and not proprietary to FireEye. There are no zero-day exploits in the cache of tools stolen,” Forrester senior analyst, Brian Kime, tells Infosecurity. “Additionally, FireEye shared detections (Yara and Snort rules) with the community to detect those tools. With those detections available, the perpetrators of the theft will likely have to modify the stolen tools and those modifications will be a signature of who is using the particular tool.”
"“Many of the stolen tools are open source and not proprietary to FireEye"
However, their decision to go after FireEye proved to be a fatal mistake by the attackers, as it was the vendor’s subsequent research which lifted the lid on the whole operation, he adds.
Microsoft’s Smith has described the campaign as “not espionage as usual” – an attack which went beyond the normal boundaries of acceptable statecraft to undermine “the trust and reliability of the world’s critical infrastructure, in order to advance one nation’s intelligence agency.” Given the sophistication of the techniques behind it, it may seem like an uphill task for CISOs to protect their own organizations in response.
James Muir, threat intelligence research lead at BAE Systems Applied Intelligence, argues that supply chain attacks like this, although seen many times in the past, “are among the trickiest to defend against.
“The attack raises a number of familiar but complex questions about supply chain security, and also around the evolving threat to cloud services,” he tells Infosecurity. “As well as making sure that organizations are ‘doing the basics right,’ these are two areas that specific effort should be focused on. There are no silver bullets to either, though.”
Muir points to the National Cyber Security Center (NCSC) resources on supply chain security and cloud security as a good starting point, and urges security teams to act quickly whenever major cloud providers like Microsoft and Amazon issue guidance and updates. Forrester’s Kime adds that something as simple as removing your corporate logo from security and IT vendor websites can make it harder for threat actors to map out their supply chain attacks.
Going Further
However, for others, there are more deep-rooted problems at play. Light Rider CEO, Tony Lawrence, who describes himself as the “first cyber-warrior for the US Army, NSA and CYBERCOM,” argues that most cybersecurity tools simply aren’t capable of stopping a determined nation state actor.
“The only technology that will offer top-of-the-line security is quantum encryption. Quantum encryption doesn’t create software to protect a network, it encrypts existing software, protecting it from the only viable outside threat at that point – a quantum computer,” he tells Infosecurity. “It will become the most reliable form of cybersecurity. With quantum encryption, cybersecurity will be an afterthought.”
Georges de Moura, head of industry solutions at the World Economic Forum (WEF) Center for Cybersecurity, agrees that organizations are “losing the race” against threat actors.
“One of the major causes of this failure is that the technology is not as effective as it needs to be. The core breakdown is an information asymmetry between the parties that prevents buyers from effectively evaluating technology and incentivizes vendors to bring sub-optimal solutions to the market,” he argues.
“Business leaders will have to coordinate the development of a new model to change market incentives, by demanding efficacy and transparency of technology solutions. These changes will have to be delivered through a multi-stakeholder collaboration between vendors, buyers, government agencies and standards setters.”
In the meantime, CISOs must mitigate risk as best they can, through a combination of enhanced due diligence of suppliers and “security by design” practices, zero-trust approaches and continuous monitoring of the IT environment, experts argue. Ongoing assessments of their organization’s risk profile will also be essential. You might not be a target of sophisticated nation state activity today, but in a fast-changing world, the same may not be true six months or a year down the line.