You were warned —
US still has no good answer for “supply chain” attacks that let Russia run wild.
Lily Hay Newman, wired.com
–
Last week, several major United States government agencies—including the Departments of Homeland Security, Commerce, Treasury, and State—discovered that their digital systems had been breached by Russian hackers in a months-long espionage operation. The breadth and depth of the attacks will take months, if not longer, to fully understand. But it’s already clear that they represent a moment of reckoning, both for the federal government and the IT industry that supplies it.
As far back as March, Russian hackers apparently compromised otherwise mundane software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, the attackers could distribute their malware to a vast array of customers without detection. Such “supply chain” attacks have been used in government espionage and destructive hacking before, including by Russia. But the SolarWinds incident underscores the impossibly high stakes of these incidents—and how little has been done to prevent them.
“I liken it to other types of disaster recovery and contingency planning in both the government and the private sector,” says Matt Ashburn, national security engagement lead at the Web security firm Authentic8, who was formerly chief information security officer at the National Security Council. “Your whole goal is to maintain operations when there’s an unexpected event. Yet when the pandemic started this year, no one seemed prepared for it, everyone was scrambling. And supply chain attacks are similar—everyone knows about it and is aware of the risk, we know that our most advanced adversaries engage in this type of activity. But there has not been that concerted focus.”
The recriminations came soon after the attacks were revealed, with US Sens. Ron Wyden (D-Ore.) and Sherrod Brown (D-Ohio) directing pointed questions at Treasury Secretary Steve Mnuchin in Congress about that department’s preparedness and response. “As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects,” said Sen. Mark Warner (D-Va.), vice chair of the Senate Intelligence Committee, in a separate statement on Monday. “We should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors.”
The United States has invested heavily in threat detection; a multibillion-dollar system known as Einstein patrols the federal government’s networks for malware and indications of attack. But as a 2018 Government Accountability Office report detailed, Einstein is effective at identifying known threats. It’s like a bouncer who keeps out everyone on their list but turns a blind eye to names they don’t recognize.
That made Einstein inadequate in the face of a sophisticated attack like Russia’s. The hackers used their SolarWinds Orion backdoor to gain access to target networks. They then sat quietly for up to two weeks before very carefully and intentionally moving within victim networks to gain deeper control and exfiltrate data. Even in that potentially more visible phase of the attacks, they worked diligently to conceal their actions.
“Like the attacker teleports in there out of nowhere”
“This is a reckoning for sure,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “It’s inherently so hard to address, because supply chain attacks are ridiculously difficult to detect. It’s like the attacker teleports in there out of nowhere.”
On Tuesday, the GAO publicly released another report, one that it had distributed within the government in October: “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” By then, the Russian assault had been active for months. The agency found that none of the 23 agencies it looked at had implemented all seven fundamental best practices for cyberdefense it had identified. A majority of agencies hadn’t implemented any at all.
The supply chain problem—and Russia’s hacking spree—is not unique to the US government. SolarWinds has said that as many as 18,000 customers were vulnerable to the hackers, who managed to infiltrate even the high-profile cybersecurity firm FireEye.
“It was not easy to determine what happened here—this is an extremely capable, advanced actor that takes great steps to cover their tracks and compartmentalize their operations,” says John Hultquist, vice president of intelligence analysis at FireEye. “We were fortunate to get to the bottom of it, frankly.”
But given the potential implications—political, military, economic, you name it—of these federal breaches, Russia’s campaign should serve as the final wake-up call. Though it seems so far that the attackers accessed only unclassified systems, Rendition Infosec’s Williams emphasizes that some individual pieces of unclassified information connect enough dots to rise to the level of classified material. And the fact that the true scale and scope of the incident are still unknown means there’s no telling yet how dire the full picture will look.
“Zero trust”
There are some paths to improve supply chain security: the basic due diligence that the GAO outlines, prioritizing audits of ubiquitous IT platforms, more comprehensive network monitoring at scale. But experts say there are no easy answers to combat the threat. One potential path would be to build highly segmented networks with “zero trust,” so attackers can’t gain very much even if they do penetrate some systems, but it’s proven difficult in practice to get large organizations to commit to that model.
“You have to put a great deal of trust in your software vendors, and every one of them ‘takes security seriously,'” says Williams.
Without a fundamentally new approach to securing data, though, attackers will have the upper hand. The US has options at its disposal—counterattacks, sanctions, or some combination of those—but the incentives for this sort of espionage are too great, the barriers to entry too low. “We can blow up their home networks or show them how angry we are and rattle sabers, and that’s all fine,” says Jason Healey, a senior research scholar at Columbia University, “but it’s probably not going to influence their behavior long-term.”
“We need to figure out what we can do to make the defense better than the offense,” says Healey. Until that happens, expect Russia’s hacking rampage to be less of an exception than it is a blueprint.
This story originally appeared on wired.com.