In December 2020, the world was rocked by an enormous supply chain attack against software provider Solarwinds, which provided unprecedented access to thousands of the company’s corporate clients. This included several key organizations within the US government and other companies within the private sector. Attackers were able to monitor SolarWinds’ network traffic and maintain persistence on affected systems and environments by leveraging trojanized versions of product updates. The campaign likely began between March and June 2020, and was not detected until December 2020.
Investigation of the Solarwinds supply chain attack pointed the finger squarely towards the direction of Russia, and specifically the Foreign Intelligence Service (SVR). The response from Moscow has been predictable, in denying any association with the attack, and vowing to retaliate to any sanctions imposed by the US, which it deems illegal.
A significant challenge for respective governments in the aftermath of cyber attacks is not only attributing to a known attacker—which may assist with determining the actor’s specific objectives and motivations—but also providing a meaningful response. With no clear rules of engagement for dealing with cyber attackers, judgment over what is an appropriate and proportionate response can often be debatable, and have notable consequences on the cyber threat landscape.
How are cyber attack attributions determined?
Providing attribution is normally extremely challenging. Despite the confidence in which the FBI, NSA, and CISA have provided in attributing the Solarwinds attack to Russia, this has come after a thorough investigation from multiple governmental intelligence and security agencies; a response of this magnitude will only typically be conducted in the aftermath of the largest and most serious of incidents. Gaining an understanding of who is responsible for malicious activity in the majority of cyber incidents is incredibly challenging, particularly for companies with limited resources, budgets, and understanding of the cyber threat landscape.
When attempting to work out who may be behind an attack, incident responders typically assess both indicators of compromise (IoCs) and attackers tactics, techniques, and procedures (TTPs) that had been observed during the respective attack. While IoCs are often a good place to start, attacker infrastructure like IP addresses, domains, can easily be spoofed or generated in a manner which will obfuscate the attackers real identity. In addition to this, Russian attackers have even been observed hijacking infrastructure used by Iranian state sponsored groups. This was likely to piggyback from their cyber espionage campaign and to attack government and industry organizations, all while masquerading as attackers from the Islamic Republic. This highlights the complexity in providing a confident attribution to individual attacks, given attackers clearly place precedence on covering their tracks .
Individual attacker TTPs are also becoming harder to distinguish, with the use of ‘off the shelf malware’ and other tools becoming more widespread, and more difficult to attribute to distinct threat actors and groups. The technical threshold between cybercriminal groups and nation state actors is also getting closer. The initial actors behind another supply chain attack affecting software provider Accellion, which involved the chaining of 4 zero-day vulnerabilities, was thought to have been conducted by FIN11, a cybercriminal group with ties into the Clop ransomware variant. The identification, exploitation, and chaining of 3 distinct bugs is no mean feat, and from my perspective I don’t think I’d seen a cybercriminal group conduct an attack using such sophistication and initiative before.
How are responses attributed to nation-state cyber attacks?
Sun Tzu, the famous Chinese military general and strategist once said, “The supreme art of war is to subdue the enemy without fighting”. In the struggle for global hegemony, cyber attacks can be viewed as a method to wield favorable outcomes on a number of issues. For Chinese state sponsored actors, targeting computer networks of interest and enabling persistence can provide significant access to intellectual property and other sensitive data that can bolster their own technological advancements. This in turn greatly enhances China’s goals of emerging as the world’s biggest economy and superpower.
Iran and North Korea—which are commonly thought as 2 of the 4 countries with the most capable and active offensive threat groups—also use cyber attacks either as a means to exert regional dominance, or in the case of North Korea, provide financial assistance to the regime. Perhaps the best example of this was observed in 2016, in which North Korean APT Lazarus Group stole USD 81 million from the Bank of Bangladesh.
Russia on the other hand arguably wields a far more complicated offensive cyber security program. On one hand Russian actors are known to be rather loud and brash, using deliberate malicious acts like denial of service (DoS) and other computer network attacks (CNA), which often coincide with Russian military action. This was observed in the Russian invasion of South Ossetia and Abkhazia in Georgia in 2008, and also against the Ukraine during the leadup to the invasion of the Crimea in 2014.
Russian actors have also engaged in several highly advanced espionage and influence campaigns, with debatable motivations. The most obvious place to start is the 2016 U.S presidential election, in which Russian state sponsored group FancyBear infamously compromised the Democratic National Convention (DNC), wedging a divide in the political party by leaking internal emails to Wikileaks that painted Democratic candidate Hillary Clinton in an unfavourable light. This has been talked about to death—and while I think the actual effect this had on the election is at least debatable—it shows that Russian actors are absolutely interested in sowing discontent and otherwise influencing democratic elections. Similar activity had also been seen in other Western democratic elections, including influence campaigns during the 2020 US election.
The most significant Russian state sponsored attack of recent years has to be the supply chain attack referenced at the start of this article, which Microsoft CEO Brad Smith referred to as the ‘largest and most sophisticated attack’ ever. We’ve gone into detail on this attack on a fantastic blog back in December, however subsequent investigation of the event has demonstrated the ingenuity and huge scale of the attack; estimates vary, however it is likely that hundreds of companies’ networks were compromised by the attackers activity.
The motivations of these attackers are all different, as are the methods and ramifications of their activity. It’s extremely difficult to provide a meaningful framework for responding to a wide array of attacks, which is also undoubtedly influenced by geopolitics. If an impactful cyber attack was attributed to China, would it elicit the same response from the West as a similar attack conducted by a state sponsored group from Russia, or North Korea? Possibly not.
What are the rules of engagement for cyber response?
Although countries make their own assessments of what can constitute an act of war or an otherwise offensive action, generally such decisions are shaped by the Laws of Armed Conflict (LOAC). These are usually drawn from the United Nations Charter, the North Atlantic Treaty Organisation (NATO) and the Hague and Geneva Conventions. Determining a set of laws to apply for cyber attacks however becomes extremely difficult. Whilst most attacks do not result in physical harm or damages, some have caused legitimate damages or possible threats to life. The classic example is the Stuxnet worm, which was used to target supervisory control and data acquisition systems and famously was responsible for causing substantial damage to the nuclear program of Iran. Many have suggested a number of parties could have been responsible for this attack including the U.S government or work of Israeli intelligence agencies. Somewhat conveniently for the title of this blog, this has never been confirmed with any real conviction.
Recent attacks against critical national infrastructure (CNI) have also resulted in significant damages that could represent a genuine threat to life. In February, an unknown attacker compromised the network of a water treatment plant in Oldsmar, Florida, and attempted to interfere with the water supply, by changing the levels of sodium hydroxide to lethal levels. Thankfully this was stopped by a combination of the plant’s controls and an observant worker who spotted his cursor moving on his screen. Who committed this intrusion and the reasons why are still not clear.
Attacks against CNI also occurred on 7 May 21, when a Darkside ransomware attack against Colonial Pipeline resulted in significant disruptions to the energy providers operations. The impact in the U.S was significant; fuel prices skyrocketed, individuals were unable to fuel their vehicles at several petrol stations, which in turn led to some reports of panic buying. The incident also had a demonstrable impact on the criminal landscape, with prominent cybercriminal forums XSS and Exploit banning users from hosting ransomware related content. The attack has served as a wake up call to both the susceptibility of CNI, and also the implications caused by the runaway freight train that has been ransomware in the past 18 months. It also raises the same question, with the attackers likely based in Russia, but not associated to the state (not directly anyway), how can the U.S respond in any meaningful manner?
How has the Biden administration responded to cyber attacks?
In response to the Solarwinds attack—in addition to Russia’s occupation of Crimea and other reported election interference—US President Biden placed sanctions on “companies operating in the technology sector of the Russian Federation economy that support Russian Intelligence Services.” This was accompanied by the expelling of 10 Russian diplomats from the U.S, and other broader sanctions.
The actual impact these sanctions will have on Russia, and other nation states conducting similar malicious activity, is debatable. While the US has to be seen to be actively responding to Russia’s activity, it is extremely unlikely that the imposition of sanctions will result in a deterrent or lowering of the risk associated with Russia’s nation state groups. It could even be argued that the sanctions may result in a spike in activity from other Russian cybercriminal and lower skilled actors; Russian criminals actors are known to be firecely patriotic, with many Russian ransomware and other criminal groups refusing to target companies based in the Commonwealth of Independant States (CIS), i.e. former Soviet bloc countries (also conveniently avoiding scrutiny from authorities in which they reside). These sanctions could result in opportunistic attacks being conducted as a reprisal for what they deem to be an unproportionate response form the U.S.
Whether sanctions work or not, it’s likely that their use is here to stay. Not only with the Biden administration, but also with Europe. In July 2020, the EU imposed their first sanctions against 6 individual and 3 entities known to have conducted cyber attacks, which include the WannaCry, CloudHopper, and NotPetya incidents. Sanctions are likely to be an increasingly used playbook within Europe, alongside an escalation in law enforcement activity; in 2021, law enforcement operations have already targeted criminal groups operating the Emotet, Egregor and Netwalker ransomware, and dark web marketplace DarkMarket. I would expect significant activity in attempting to bring charges against operators of the Darkside ransomware in the aftermath of the Colonial Pipeline incident.
Preventing cyberattacks to your organization
Determining ‘why’, is often just as important as ‘who’ in the aftermath of an attack: Biden’s administration have realistically gone as far as they can, and while sanctions are unlikely to result in a significant decreased risk from Russian threat actors, it does demonstrate that such attacks will yield a response. In the past month, Biden has also signed an executive order (EO) aiming at strengthening the security of networks for companies working with the federal government. This has been issued in order to reduce the likelihood and impact of future attacks.
For private sector companies, in the chaos of incident response I’ve often found there is too much emphasis placed on determining the ‘who’ rather than finding out why the attack may be occuring, or how. Whilst answering these questions is important—and of course these issues are closely linked—ascertaining the objectives of the attack may often provide a more effective method of protecting your assets. As I highlighted earlier, due to the advanced nature of many of these actors, for many companies without significant resources or manpower, determining exactly which actor is targeting you can be an extremely difficult task.
This is where Digital Shadows (now ReliaQuest) can help. We have an extensive library of known threat actors, groups, and their respective TTPs. Our team issue daily updates on every external incident you need to know about, in addition to other trends on the cyber threat landscape that allow our clients to stay one step ahead of the game.
Recently, our platform has also been enhanced with the addition of the MITRE ATT&CK framework into profile tagging and Intel Update tagging. This makes tracking active campaigns and understanding attribution that much easier. Get a 7-Day free trial of our Threat Intelligence library including MITRE detection and mitigations here, or book of demo of the SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) platform for a custom consultation on prevent and protecting your organization’s digital risk.