This past week’s revelation of a sophisticated nation state actor’s supply chain and post-exploitation cyberattacks of a Fortune 100 corporation and multiple U.S. federal government agencies has created silent chaos and the fear of the unknown for many executives in both the private and public sectors. For many, this is a cybersecurity crisis they hoped to avoid during their leadership tenure.
The Russian Nation State Cyber Threat Actor
The multi-pronged cyberattack of SolarWinds by a sophisticated nation state actor is believed to have been conducted by the Russian external intelligence service or SVR.
The Russian nation state computer network operations capability includes a number of advanced persistent threat (APT) groups including:
- APT 28 – attributed to the Russian civilian intelligence services (FSB and/or SVR)
- APT 29 – attributed to the Russian military intelligence service (GRU).
On March 15, 2018, the FBI and DHS issued a joint alert regarding the Russian government cyber activity targeting the U.S energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors. The FBI and DHS characterized this activity as a multi-stage cyber intrusion campaign by Russian nation state actors targeting small commercial facilities’ networks where they staged malware, conducted spearphishing, and gained remote access into energy sector networks. After these Russian cyber threat actors gained accessed, they then conducted network reconnaissance, moved laterally, and collected information pertaining to industrial control systems (ICS). It should be noted that in multiple instances, these Russian cyber threat actors performed clean up operations of their cyber intrusion activity which included clearing the following Windows event logs: System, Security, Terminal Services, Remote Services, and Audit. They also removed applications which they installed while they were in the network along with any logs produced. Finally, data generated by other account used on the systems accessed were also deleted.
The Russian nation state computer network operations capability is significant and has a devasting impact as evidenced by the October 19, 2020 FBI indictment of the Russian Main Intelligence Directorate or GRU, a military intelligence agency of the General Staff of the Russian Armed Forces, for the following cyberattacks:
- The 2015 and 2016 destructive malware attacks against the Ukrainian electric power grid, Ministry of Finance, and State Treasury Service, using malware known as BlackEnergy, Industroyer, and KillDisk
- The June 2017 destructive NotPetya malware attack that infected computers worldwide and impacting many large organizations including Merck Pharmaceuticals, FedEx, and others causing billions of dollars in damages worldwide
- Cyberattacks against the PyeongChang Winter Olympics Hosts, Participants, Partners, and Attendees
- Cyberattacks against the 2017 French elections
- Cyberattacks against U.K. organizations investigating the nerve agent poisoning of several U.K. Citizens.
On October 23, 2020, the U.S. Treasury Office of Foreign Asset Control (OFAC) sanctioned the Russian government research institution known as the State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) for their connection and support of the Triton/Trisis industrial control system (ICS)-specific malware. The Triton malware was designed to specifically target and manipulate industrial safety systems which provide for the safe emergency shutdown of industrial processes at critical infrastructure facilities in order to protect human life. The Triton malware was initially found to have been used against a Saudi Arabian petrochemical facility during 2017. During 2019, the attackers behind the Triton malware were reported to have been scanning and probing of at least 20 electric utilities in the U.S. for vulnerabilities.
What We Know About the SolarWinds Attack (at this point)
This supply chain cyberattack has many aspects to it. This cyberattack would have included an initial compromise of the SolarWinds’s perimeter, with unauthorized lateral movement throughout the SolarWinds environment, and access to the SolarWinds Orion Platform infrastructure, where this Russian cyber threat actor added trojanized malware to the SolarWinds Orion Platform updates. These updates could have impacted 33,000 SolarWinds active maintenance customers. Based on its SEC filing of this cyberattack, SolarWinds believes 18,000 of its 33,000 customers were impacted but did notify the 33,000 customers which were exposed.
According to the SEC filing, there is an additional cyberattack on the SolarWinds Microsoft Office 365 email system. In its SEC filing, SolarWinds outlines an attack on its Microsoft office 365 email system and noted it is working with Microsoft and has “taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system.”
Once these trojanized updates were downloaded by SolarWinds customers, this cyber threat actor used very sophisticated tactics, techniques, and procedures (TTPs) to gain administrative privilege within their new victim environments. Once a sophisticated cyber threat actor has unauthorized administrative access to a victim environment, the possibility of additional compromise across business units and lateral movement is highly likely. In addition, if the compromised SolarWinds’s customer provides 3rd party services (such as consulting, audit services, etc.) there is a possibility of potential compromise of this victim organization’s client’s data and infrastructure.
Of note is the cleanup efforts by the Russian cyber threat actor as noted in the March 2018 FBI/DHS Alert. If the Russian cyber threat actor did in fact conduct cleanup efforts within these compromised environments, this will make the cyber forensic investigation much more difficult to provide a true picture of this cyber threat actor’s movement, malicious activity, exfiltration of data, and possibility of planting malicious software such as disk wiping software, destructive software, or logic bombs in the victim network.
According to the SolarWinds website, SolarWinds identifies the following organizations as some of its customers:
- Over 425 of the U.S. Fortune 500 organizations
- All 10 of the top 10 U.S. telecommunications companies
- All five branches of the U.S. Military
- The Office of the President of the U.S., the Pentagon, the U.S. State Department, NASA, NSA, U.S. Postal Service, U.S. Department of Justice
- All five of the top 5 Accounting firms
- Hundreds of universities and colleges around the world
Public media reporting indicates the following U.S. federal agencies have been impacted by the SolarWinds cyberattack:
- Treasury Department
- Department of Homeland Security
- Department of Energy
- National Nuclear Security Administration
- State Department
- Commerce Department
- National Institutes of Health
Private sector organizations which have publicly been identified include:
In addition, Microsoft has identified more than 40 of its customers that installed the trojanized versions of the SolarWinds Orion Platform. Microsoft President Brad Smith advised 80% of these known victims were in the U.S. and the rest of the victims were located in 7 other countries (Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates).
Guidance for Executives
Executives of both the public and private sector organizations which may be impacted by this cyberattack will have many questions to ask their CIO or CISO in light of this week’s reporting of the cyberattack on SolarWinds, its customers, multiple federal agencies, and other victims yet unknown.
This is a time for self-reflection as to the strategic investments your executive leadership team has (or has not made) in providing your organization the most mature enterprise wide cybersecurity posture.
How sophisticated are your cybersecurity professionals responsible for securing your organization’s personnel, operations, and technology? Has your organization invested in their capabilities and training to ensure they have the best tools and training to identify, protect, detect, respond and recover to a nation state level cyberattack such as the SolarWinds cyberattack? If not, your leadership team will need to hire an independent 3rd party cybersecurity vendor who specializes in nation state level intrusions to assist your organization in determining the true extent of this nation state cyberattack on your organization.
Executives should request to review their organization’s most recent cybersecurity reports to obtain a better understanding of their organization’s overall cybersecurity posture. Many of these reports will have provided maturity levels, vulnerabilities found, and recommendations on areas to improve. These reports should provide executive teams with the information needed to build out a short-term and long-term strategy to mature their organization’s cybersecurity maturity and posture. Some of these reports could include the following:
- The organization’s most recent cybersecurity assessment of the organization entire cybersecurity risk management program (including its operational technology network)
- 3rd party cybersecurity assessment of all 3rd party cybersecurity risks
- The organization’s most recent cybersecurity assessment of its supply chain cybersecurity risks
- The cybersecurity assessment of software and application development
- The organization’s most recent penetration tests of its business networks, operational technology networks, web infrastructure and web applications, mobile and mobile applications infrastructure, wireless infrastructure, cloud infrastructure, and any others cybersecurity penetration tests which have been conducted.
- CIO/CISO reports on what actions have been taken to date to mitigate any vulnerabilities identified in the above noted reports.
Executives should consider the following questions to guide them regarding enterprise wide cybersecurity for their organization as it relates to this nation state level cyberattack:
- Does the organization use the SolarWinds Orion Platform?
- If the response is yes, has the organization’s cybersecurity team obtained all cyber threat intelligence (including signatures, etc.) and reviewed the entire IT infrastructure for potential compromise by this cyberattack?
- If there are indicators of compromise found in the organization’s IT infrastructure:
- What is the cybersecurity team’s response to this cyberattack; how has this cyberattack been mitigated, and what organizational data and services which has been compromised by this cyber threat actor?
- Has the cybersecurity team engaged CISA to assist in the mitigation of this cyberattack?
- Does your organization have a cyber insurance policy which covers nation state type cyberattacks? If so, do they have a preferred cybersecurity incident response vendor with the expertise of nation state level cyberattacks? If not, consider the use of a 3rd party cybersecurity incident responder which does have this capability.
- Has a 3rdparty incident responder been engaged and if so, what is the status of this 3rd party incident responder’s response, mitigation, recovery, and reporting?
- What are the recommendations from the 3rd party incident responder for long-term monitoring of this and other nation state level actor’s cyber intrusion activity?
- If no indicators of potential compromise have been found in the organization’s IT infrastructure but the organization has engaged the services of a SolarWinds customer who may be compromised, consider the following questions:
- What has the SolarWinds customer who may be compromised done to determine if their organization has been compromised by this cyber threat actor?
- If these SolarWinds customers have been compromised by this cyber threat actor, was any of your organization’s data accessed by the cyber threat actor?
- What has been done to respond, mitigate, recover, and ensure full visibility to any SolarWinds customers which may have been compromised, and to their client organizations whose data may have also been compromised by this cyber threat actor?
- Lessons learned. The organization’s senior executive team and board of directors should request an after-action report regarding the impact of this cyberattack on the organization to identify any gaps, weaknesses, and lessons learned due to this cyberattack. In addition, these identified gaps, weaknesses, and lessons learned may require strategic resources to be authorized by the senior executive team and board of directors to provide the CIO/CISO and their cybersecurity team with the appropriate resources to continuously mature the organization’s cybersecurity risk management program and overall cybersecurity posture.
If you do not possess a solid foundational understanding of the various facets of cybersecurity, now is the time to obtain cybersecurity leadership training.
Today’s executive must possess a foundational understanding of the various facets of cybersecurity. This knowledge will assist them in their cybersecurity discussions with their CIO/CISO when making enterprise wide cybersecurity risk decisions to mature and provide the best cybersecurity posture for their organization.