The Russian Cyber-Bear has roared once again. The notorious Advanced Persistent Threat (APT) 29, or Cozy Bear, seems to have forgone hibernation this winter in order to continue carrying out a months-long, ambitious, and creative supply chain attack against a server management and performance monitoring software company, SolarWinds, that threatens a vast array of entities, both public and private, in the United States and around the world. The incident was so alarming that the National Security Council met at the White House Saturday, and the Cybersecurity and Infrastructure Security Agency (CISA) pushed a rare emergency directive to curtail the damage.
The Russian cyberespionage group commonly associated with the Russian Foreign Intelligence Service (SVR) is thought to have gained backdoor access, through the afflicted Orion Improvement Program software, to hundreds of entities, such as the United States Treasury, Department of Commerce, and Department of Homeland Security, as well as potentially numerous Fortune 500 firms, and many other private and government entities. The list of SolarWinds customers, now stricken from their website, includes more than 80 percent of the Fortune 500, the top ten U.S. telecommunications firms, all five branches of the U.S. Military, the Pentagon, NASA, National Security Agency, Postal Service, Department of Justice, the Office of the President of the United States, and the top five U.S. accounting firms. The SolarWinds breach also impacted prominent cybersecurity firm FireEye, which was among the first to break the story.
CTO and co-founder of Crowdstrike Dmitri Alperovitch said of the SolarWinds intrusion that the access Cozy Bear was able to achieve amounted to “God-mode” and went on to say “This can turn into one of the most impactful espionage campaigns on record.” By compromising SolarWinds’ trusted software update distribution around March of this year, the intruders were able to distribute malware under the perfect guise of legitimate updates from the vendor. Using the creatively trojanized update to cloak themselves in legitimate certificates, Cozy Bear was able to evade detection on host systems. This malware, once installed in the routine course of the update, opened a backdoor in the infected system and phoned home to let its creators know the door had been opened. Ever since then, the intruders likely had pervasive access to government and industry systems, with none being the wiser until earlier this week. At the time of writing, much is still unknown about the extent of the intruders’ exfiltration of sensitive data. Of the myriad entities affected by the infected updates, many have not yet confirmed their compromise. It is likely the hack-born intrusion targeted national security data, and the personal information of private firms’ employees was not the primary target of the cyber operation.
A silver lining in this “Nightmare Scenario” is that due to technical bottlenecks that would impede the swift exfiltration of data via the compromised SolarWinds Orion programs; outbound data flow would have been laborious and time-consuming. It is likely that Cozy Bear operatives would have had to choose a narrower band of targets from the broad array available. The biggest bottleneck Cozy Bear faced was simply the target-rich environment. Every move they made in a high-value system increases the risk of discovery, and there are only so many people with the skills to conduct these operations. This does not, however, bode well for the U.S. government entities specifically targeted.
Given the highly sophisticated, evasive, and creative nature of this compromise, it may seem unfair to lay the blame at the feet of any U.S. official, let alone President Donald Trump, personally. Certainly, foreign rivals such as the Russian Federation do not need any invitation or excuse to attempt to cause harm to the United States. The person sitting in the Oval Office is of little consequence overall, but it is also not unreasonable to examine the administration’s approach to countering foreign cyber-offensive operations and any unforced errors that may have set the stage for this event.
In the wake of the seismic 2016 presidential election, and subsequent investigations circling Russian involvement in a coordinated disinformation campaign, President Trump told Foreign Minister Sergey Lavrov that he was unconcerned about Russian interference. As the Special Counsel investigation progressed, many in the administration that spoke out or testified about Russian involvement in hacking Democratic National Committee (DNC) servers or engaging in a disinformation social engineering campaign on an unprecedented scale, were fired or otherwise derided until they left the government. FBI Director Comey’s firing would be followed by Russia experts such as Andrew McCabe, Bruce Ohr, Peter Strzok, Marie Yovanovitch, Alexander Vindman, and Fiona Hill being forced out of the government. After the Special Counsel’s team indicted Russian hackers in 2018 for their involvement in the 2016 fiasco, President Trump met with Vladimir Putin in Helsinki. When asked by a member of the press about Russian hacking and disinformation operations, Trump sided with the KGB alumnus sharing a stage with him over the U.S. Intelligence Community that reports to him.
Later in 2018, then-National Security Advisor John Bolton announced a new cyber strategy that included “authorized offensive cyber operations.” While apparently announced and initiated to deter adversaries from attacking the United States via a “best defense is a good offense” approach, the likely result would become a cascading tit-for-tat in global cyber operations. The net effect being more, and not fewer, cyber attacks between nation-states. An attack invites reciprocation, and the murky domain of cyber allows many actors to function with few dramatic repercussions. Especially when faced against the United States, which operates with a higher adherence to law and international custom, adversaries in less technologically connected, or less democratic, regimes have less to lose and more to gain from cyber volleys. It remains unclear whether a “gloves off” approach to cyber conflict makes the United States more or less safe. It certainly grants legitimacy to adversarial cyber conflict.
In a further blow to the United States holding Russia accountable for its cyber operations, the Department of Justice (DOJ), under Trump’s appointed Attorney General Bill Barr, moved to drop its case against two Russian entities who were previously indicted through the former special counsel investigation into Russia's interference in the 2016 U.S. election. The trial of these two entities would have opened old wounds and returned attention to the idea that Russian disinformation and hacking may have aided then-candidate Trump. Barr’s DOJ dropped the case that would have called attention to the Russian state’s cybercrimes, stating that the trial would serve no purpose.
More recently, the U.S. CISA director, Chris Krebs, was fired by tweet, ostensibly due to Krebs’ statements about the security of the 2020 election. Kreb’s disinformation countering Rumor Control site, created as part of CISA, is thought to have contributed to the president’s dislike of Krebs. The site often debunked theories relating to election fraud that can be prominently found on the president’s Twitter page. Krebs is held in high esteem in the information security field, and his ouster is widely seen as politically motivated and counterintuitive to the aims of CISA. At the time of writing, the president’s Twitter feed and public statements have been nearly entirely focused on election fraud-related theories, without a word on the topic of this calamitous intrusion. At this time, the Trump administration appears uninterested in holding Russia accountable for its cyber activity against the U.S. interest.
Aside from CISA, Secretary of State Mike Pompeo became one of the only high-level administration officials to break the silence over the recent Russian intrusion. When asked about the breaking story in an interview with Breitbart News Radio, Pompeo responded by deftly deflecting; remarking that China and North Korea present even stronger problems. The continued effort to ignore the Russian cyber issue was evident.
While the president and high-level staffers such as Pompeo ignore the issue, thousands of government IT workers will be working through the holidays, attempting to clean up the mess. Thousands more, including many employees outside the government, will find their networks unreachable as the long, arduous task of routing out the intruders goes on. The damage done in the last few months as a result of the SolarWinds attack may not be known for weeks or months, but by all accounts, it will be costly in the extreme, not to mention the vast compromise of government secrets. The incoming Biden administration will have yet another headache to deal with come January.
All this is not to say that the U.S. Intelligence Community was completely defanged of cyberdefense under the Trump administration, or that the Russian cyberespionage apparatus would not have attempted this if Trump had not won the 2016 election. However, the Trump administration seems to have a storied history of going out of their way to cover for Russian cyber offenses, perhaps leading Vladimir Putin to believe his actions in cyberspace would go unchecked, or at least met with middling resistance. To not capitalize on the situation would seem like a wasted opportunity, one that Vladimir Putin can hardly be expected to waste.