SolarWinds Hack: ‘The Truth Is Much More Complicated’

WASHINGTON: The threat actor behind the SolarWinds hack accessed the email inboxes of the Department of Homeland Security’s former acting director and key cybersecurity staff, as well as the schedules of top Department of Energy officials.

“If true, this is a serious breach of security, as these emails are often very revealing and contain hints to what any administration is up to,” said Adam Roosevelt, an intelligence expert, combat veteran, and CEO of the security firm AR International Consulting.

DHS is the federal agency charged with cyber defense of domestic networks. Even before today’s news, some were openly questioning how the agency failed to detect the SolarWinds campaign, which was discovered nine months after its inception and publicly disclosed by security company FireEye in December.

The news, first reported by the Associated Press, comes amid continuing fallout from the extensive cyberespionage campaign that has hit at least nine federal agencies and raises new questions about the lasting consequences of the campaign. We don’t know any details of what may have been stolen, altered, or viewed from DHS or DoE. But the AP did report that the duties of DHS staff whose emails were accessed “included hunting threats from foreign countries.”

The schedules accessed at DoE are not, in themselves, considered sensitive and are subject to open records laws, according to the AP. DoE is charged partly with overseeing the nation’s nuclear programs.

The revelation arrives after CYBERCOM and NSA chief Gen. Paul Nakasone’s congressional testimony last week, in which Nakasone said US adversaries are increasingly hacking domestic entities using infrastructure located within the country. Nakasone said current US cyber defense consists of an inherent “blind spot” due to the inability of agencies such as DHS to gain total visibility into activities across US networks. US law and policy prevent CYBERCOM and NSA from monitoring or carrying out cyber operations against adversaries on US networks.

Former Defense Secretary and CIA Director Robert Gates revived his 2010 call to “appoint a ‘dual hat’ senior DHS officer who would also serve as a deputy NSA director with the authority to task the NSA in real time to defend against cyberattacks of domestic origin” in a Washington Post op-ed yesterday.

“The approach we devised in 2010 would not require new legislation and could be implemented quickly,” Gates wrote. “We are under attack. There might be a more elegant solution to our vulnerability, but a better means of defense is available now.”

Most officials and experts have said Russia conducted the SolarWinds hack, but the US government has not made a formal attribution or announced a response. Russia has denied any role.

Silverado Policy Accelerator Executive Chairman and CrowdStrike Co-founder and former CTO Dmitri Alperovitch spoke at an event last week on evolving Russian cyber tactics in light of the SolarWinds campaign.

Alperovitch said the SolarWinds campaign was “exceptionally well-done” and added, “[The SolarWinds hack] strikes me as exactly the type of cyber operation that we want Russia to do,” in that it was “very targeted, very precise, [with] very little collateral damage, going after traditional national security targets, primarily US government agencies.”

“We shouldn’t be happy that they’re successful,” Alperovitch continued. “We should not pat them on the back and not respond in any way.” But, he observed, SolarWinds “stands in stark contrast to the untargeted, reckless, and dangerous operation that the Chinese executed with their [Microsoft Exchange server] hacks.”

Alperovitch noted the importance of “granular attribution” to identifying threat actor motive and crafting a proportional US response. “We tend in the West to often treat Russia as a monolith,” he observed, “as if all Russians are the same, all Russian intelligence agencies are the same. …Of course, the truth is much more complicated.”

In the case of SolarWinds, most experts have attributed the hack to SVR, one of several major Russian intelligence agencies. Alperovitch characterized SVR as the “most professional” of Russia’s intel agencies. “SVR and its predecessor [within the KGB] were always mostly abiding by the rules of espionage, the gentlemen’s agreement that spy agencies follow, and while there have certainly been excesses, by and large they’ve kept to professionalism and focus.”

Alperovitch contrasted SVR with the FSB, which he said has committed past “atrocities,” and GRU, “the most reckless and the most thuggish intel agency in Russia.”

James Lewis, a cyber expert at the Center for Strategic & International Studies, speaking at the same event, said he had just attended a meeting with representatives from “likeminded nations” who were discussing the SolarWinds campaign. Lewis said there was broad consensus that SolarWinds was a “violation of international law and sovereignty.” The question is: How should the US respond?

Lewis said one issue is that, “We keep trying to apply 20th, and even 19th, Century conceptions of war and international humanitarian law to a new kind of conflict.” He observed, “One of the things we’ve learned in the last few years about cyber is that it’s no longer a standalone domain. It’s no longer an independent thing that occurs outside of the larger realms of strategy and policy. So, to think about this, our response, we have to put in the context of what is our policy towards Russia. What [are] our goals here?”

“There [are] a lot of rough patches” to work out in the overlap of cyber, strategy, and policy, he added.

Lewis noted the 2015 UN agreement on a normative framework for cyberspace, but Russia and China “pay no attention to it.” In view of this, Lewis said, we’ve got to “stop talking about deterrence and talk about accountability. These sorts of things will not stop until we impose consequences.”

But getting there is slow and tricky. “We don’t have a solution set for doing this yet,” Lewis observed, “because you still need political agreement both on attribution — not in [the SolarWinds] case, but in general — and proportionality.”

Alperovitch said cyberespionage campaigns like SolarWinds are “the types of things we should expect [Russia] to do. I’m not arguing we shouldn’t have a response. We should respond. We should express our displeasure. My only argument is that we should not overact.”

“We don’t have a cyber problem,” Alperovitch observed. “We have a Russia, China, North Korea, and Iran problem. The vast majority of the cyber intrusions we’re seeing are originating from those countries, either from the [governments] of those countries or the criminals and proxies that are allowed to operate freely within those countries, and we absolutely need to hold countries accountable for what happens inside their borders, whether it’s directed by the state or whether the state just turns a blind eye to this activity.”

Some have raised the specter of follow-on attacks, especially destructive, but both Alperovitch and Lewis were largely skeptical of this prospect — at least for now.

Alperovitch noted that the primary targets in SolorWinds second stage operations appear to have been US government agencies and IT supply chain companies, such as FireEye and Microsoft. The former targets suggest traditional nation-state cyberespionage. The latter suggests, “Through SolarWinds, they are probably stockpiling supply chain vulnerabilities and access methods to use in attacks for years to come,” Alperovitch said.

Alperovitch observed, “Could they use stolen data for information operations? Could they have used the attack for destructive purposes? Well, the answer to that, of course, is yes, they could have.” But, he added, “We’ve never seen SVR conduct influence operations or destructive operations that GRU typically takes the lead on. So, that’s why granular attribution is important. Understanding which agency is behind it can tell us a lot about motivations.”

Lewis said that, for Russia, it’s all about managing risk. Lewis said he “do[esn’t] worry” about cyberattacks on US critical infrastructure because, “We’ve created a sort of digital Maginot Line” that the Russians would be “very hard pressed” to cross.

He also distinguished between cyberespionage and “coercive” cyberattacks. “Recon[naissance] is not regarded as a coercive attack,” Lewis observed. “So, then, the question would be: When would it be in Russia’s interest to launch some kind of major, old-style attack, and I think the answer is never. Why would they do that? They’re winning now. Why risk having us wake up?”

He added, “The Chinese probably feel the same way.”

“Is [SolarWinds] a brilliant intel operation? Yes,” Lewis observed, but it was no “cyber Pearl Harbor.” “Is it the precursor to some massive attack? No.”