screencap of DVIDS video

Gen. Paul Nakasone briefs reporters on cybersecurity at the White House in February 2019

 

WASHINGTON: Cyber Command chief Gen. Paul Nakasone said Thursday that “CYBERCOM plays a continuing key role in the government-wide response” to the massive cyberespionage campaign against U.S. government entities and companies. “Certainly over the past few months,” he said, “the SolarWinds breach has focused our attention.”

Nakasone’s comments came on the same day security company FireEye, which was the first to publicize the SolarWinds hack after becoming a stage-two victim itself, published a blog post detailing a newly discovered backdoor it’s calling SUNSHUTTLE. The company said SUNSHUTTLE has a “possible connection to UNC2452” — the name FireEye has given to a threat actor associated with the SolarWinds campaign.

Nakasone made the remarks during his opening keynote speech at the eighth CYBERCOM Annual Legal Conference, which was held virtually for the first time this year due to COVID-19 and had over 1,400 attendees from around the world, including 200 foreign partners. In addition to leading CYBERCOM, Nakasone currently serves as the Director of the National Security Agency and as Chief of the Central Security Service.

Nakasone did not detail what CYBERCOM’s “key role” or the “ongoing response” is to the SolarWinds hack, but he highlighted supporting the Federal Bureau of Investigation, Department of Homeland Security, Cybersecurity and Infrastructure Security Agency, and Office of the Director of National Intelligence. CYBERCOM’s broad mission includes protecting Department of Defense networks, guarding the nation against cyberattacks, and supporting Joint Forces. His speech placed notable emphasis on CYBERCOM’s “defend forward” concept. Nakasone said defend forward includes “executing operations outside U.S. military networks.”

Meanwhile, FireEye’s Mandiant Threat Intelligence team said it found SUNSHUTTLE “uploaded by a U.S.-based entity to a public malware repository in August 2020.” It did not name the entity, but this might be the “possible connection” to UNC2452 that Mandiant refers to. Mandiant characterized SUNSHUTTLE as “most likely a second-stage backdoor dropped after an initial compromise.” SUNSHUTTLE includes standard malware capabilities, including communication with remote servers controlled by the threat actor who can use them to remotely change the malware’s configuration, upload/download files, and execute arbitrary commands on a compromised asset. Mandiant said the infection vector is not yet known.

The U.S. government has not yet officially attributed the SolarWinds hack. Broad consensus has emerged among public and private sector officials that Russian intelligence services are behind the campaign, which has affected nine federal entities and at least 100 private companies. The government is expected to formally attribute the hack and announce the U.S. response soon.

On a Feb. 21 episode of Face the Nation, National Security Advisor Jake Sullivan said, “That response will include a mix of tools seen and unseen, and it will not simply be sanctions.” He added, “We will ensure that Russia understands where the United States draws the line on this kind of activity.”

Within the defend forward context, Nakasone discussed the doctrine of “persistent engagement,” which he said is “centered on the construct of both enable and act.” Nakasone said enable means sharing threat indicators, sharing personnel, and providing insight. Act entails “hunt forward” — that is, proactively identifying security vulnerabilities in partners’ networks overseas, with permission — as well as offensive operations and information operations. Within CYBERCOM’s strategy, offensive operations could mean retaliatory or preemptive cyber measures taken against adversaries in order to protect the U.S. “Persistent engagement,” he said, “focuses on an aggressor’s confidence and capabilities by countering and contesting campaigns short of armed conflict.”

Nakasone noted that “Great Power competition lives in cyberspace.” He said China is “the most strategic adversary” while Russia remains “the most sophisticated adversary” in cyberspace. Iran and North Korea remain “capable and intent” adversaries. He added, “Our adversaries today have our attention.”

Nakasone emphasized that “partnerships are key to our success,” both with foreign allies and within the domestic private sector. Strong partnerships “make it increasingly difficult for adversaries in cyberspace,” he added. He highlighted the work of the NSA’s Cybersecurity Collaboration Center, whose purpose is to partner with the domestic private sector and rapidly communicate with partners.

Nakasone also summarized CYBERCOM’s role in protecting the 2020 election and noted that in 2020 the NSA released over 30 public advisories covering cybersecurity guidance and mitigations, with many more issued directly to its defense and intelligence community customers.