Situation Report: SolarWinds Hack Highlights Persistent Cyber Threats from Russia, China

Reuters revealed this week that the People’s Republic of China (PRC) appears to be the latest adversary to exploit vulnerabilities in the systems of SolarWinds, the massive IT firm that fell prey to Russian hackers last year. SolarWinds’ software is part of the “supply chain” that services numerous agencies within the U.S. government as well as many major corporations.

For the Chinese attackers, their access to the SolarWinds network enabled them to penetrate the Department of Agriculture – likely a high priority intelligence target of the PRC given the importance of American agricultural products to US/China trade negotiations. From this “first layer” of penetration, it appears the hackers moved to a “second layer” – the National Finance Center (NFC), which performs payroll and other administrative services for a “third layer” of targets:  more than 160 agencies – including the FBI, DHS, State Department and Treasury Department – and more than 600,000 Federal Employees.

This type of cyber espionage is common for the PRC, whose hackers used a similar technique against the Office of Personnel Management (OPM) in 2014, initially targeting government contractors with access to OPM servers as an avenue to eventually steal some of the most highly sensitive and personal information on millions of federal employees, including those in the Department of Defense (DoD) and Intelligence Community (IC).

Cyber experts agree that the Solar Winds hack was carried out in a sophisticated manner, and demonstrates major U.S. vulnerabilities.

Keith Larson, the editorial leader of ControlGlobal.com – a blog for some of the world’s top cybersecurity experts and engineers – described how the Russian hack was executed: “…an insidious malware agent called Sunburst wormed its way into the development supply chain of SolarWinds. Then, using a signed software update to the company’s Orion network management software as its Trojan horse, the malware was welcomed into some 18,000 government and corporate clients’ networks.”

Joe Weiss, ControlGlobal cybersecurity blogger and managing partner of Applied Control Solutions, observed that “This incident just proves that we’re never going to have a fully secure network. The Russians have beaten all three: two-factor authentication, digital certificates, and now a signed software update.”

A veteran IT analyst who agreed to comment on the condition of anonymity, underscored the seriousness of this breach.  “What makes it dangerous is that the SUNBURST BACK DOOR installed automatically with a routine download of a SolarWinds upgrade.  Attackers can then be very selective on victims and times, and you can be certain in the months it has been active, with no detection, the hackers have had a field day.”

Meanwhile, Russia’s exploitation of SolarWinds demonstrates substantial growth and maturation of their cyber forces, their access to computer resources, and their technological understanding and competence. The hack undoubtedly furthered the Moscow’s intelligence gathering and espionage capabilities against the United States. “The major objective of the SolarWinds campaign is to provide the Russian Federation with an attack against Cloud architectures,” explains the veteran IT analyst.

This is particularly worrying given the movement to “the cloud” by so many federal agencies. For example, according to Nextgov, “The Central Intelligence Agency has awarded its long-awaited Commercial Cloud Enterprise, or C2E, contract to five companies—Amazon Web Services, Microsoft, Google, Oracle and IBM. Under the C2E contract vehicle, the companies will compete for specific task orders issued by the CIA on behalf of itself and the 16 other agencies that comprise the intelligence community.”

SolarWinds services four of those five companies, as well as the Office of the President of the United States, the State Department, The Justice Department, the Pentagon, the National Security Agency (NSA) and NASA.  In the wake of the massive breach, the company has removed a list of high-profile clients from its website, perhaps to defend them from bad publicity.

Just because a company or agency is a client of SolarWinds doesn’t necessarily mean that it has been affected. However, given the intelligence gathering goals of Russia and China, their capabilities, and the fact that best U.S. cyber warriors –who operate under rubric of NSA and cyber command—are unable to work on domestic vulnerabilities we should be prepared to assume the worst.