It’s clear that the IT industry must take the next step to band together and share threat intelligence and cyber best practice to avoid similar hacks in future. Cybersecurity and military professionals have long believed that the next major war between the world powers will not involve the firing of one kinetic weapon. SolarWinds Orion hack could be the first known attack that reaches this level.
All indications point to a Russian SVR unit, which is the equivalent of the US CIA as the actor behind the hack. This is not something I can say too strongly. It is still early in the analysis, and this assessment could change. It appears that this cyberattack is being backed by Russia against the United States and other Western countries. This could be classified as an act de war if it is true. The world will be affected by how and when the U.S. responds.
The U.S. response to the protest is very muted at the moment. It is troubling, I might add. This event, based on what we know now, would warrant the strongest public reprimand and even more harsh words in private. Once the proof clearly identifies the attackers, it should be clear that the US will respond in the manner and time that it chooses. I advocate for a strong, proportional response to prevent another cyberattack of this scale. We have the opportunity to define the boundaries of acceptable cyber-espionage, what constitutes cyber-warfare, and to implement deterrents to preserve peace and global security.
Assessing the Damage to Determine What and How Much
As I said at the beginning, what we don’t know yet may be vastly more important than what we know now. Over the past week, I have been to numerous briefings and viewed countless reports and articles. It seems that the hackers have infiltrated SolarWinds’ servers to compile, verify and digitally sign updates for the SolarWinds Orion platform. The hackers added malicious code to what appeared to be a normal update for the SolarWinds Orion platform. It is estimated that the update was downloaded by 300,000 users of the platform. It appears that around 18,000 customers have symptoms of the malware-related active exploit.
The attackers are targeting major private corporations, many U.S. government agencies, and prominent academic institutions as they also target foreign private and public entities. The details are still being gathered, so they could change in the coming days or weeks. Triangulation of this attack is a concern because it could reveal very damaging intent.
It is unclear at this time if hackers were just infiltrating and monitoring data or actively exfiltrating it. If so, what data might have been stolen. It is not clear how far the hackers have moved laterally. Many believe that we don’t know how deep these infiltrations are or what the hackers have been doing the past nine months. It appears that the original hack occurred in March, when the world was focused on the rapid growth of the COVID-19 pandemic. Combine the pandemic with the attention on election security and misinformation in the U.S., and we might come to realize that we don’t have the resources necessary to defend our nation and economy from ongoing cyberattacks.
Sharing security best practices must be a priority
One thing I’ve heard repeatedly is that both public and private organizations must share more information about attacks that they see in the wild. Most organizations keep vital information that could prevent an attack from happening, due to competitive pressures. This has been reframed quickly. It is not a sign that an organization is weak to share what they see in terms of cyber threats and potential. This is why ISACs and ISAOs were created (Information Sharing and Analysis Centers and Organizations). They share critical cyber threat intelligence with critical infrastructure or communities of interests to better protect against hackers.
One of the briefings that I attended last week stated clearly that it is impossible to prevent an attack like the SolarWinds Orion-type. If a nation-state plans to perpetrate an attack like this, we have little, if any, control over it. We can, however, improve the sharing and alerting of threat intelligence to others as soon as an attack is detected.
