Richard Clarke, CEO of Good Harbor Security Management and GigNet Inc. Advisor pens a series of articles on trends and events in the world of cyber security.
Ransomware attacks by criminal groups, many of which operate out of Russia, have attracted media, Congressional, and even Presidential attention, with President Biden threatening cyber attacks in retaliation. This wave of cyber crime, how- ever, is a lesser threat when compared to the nearly silent campaign by Russian military and intelligence agencies to penetrate key corporate and government computer networks across this country. When the major East Coast gas pipeline was hit by ransomware, some US cyber security experts immediately doubted that the Russian government was the perpetrator. The Russian government, they believed, would not want a peacetime attack that proved how vulnerable the US pipeline system is. The Russian military’s hacker unit, the GRU, would want that key piece of US critical infrastructure left as easy prey for them to attack in a cyberwar. As many cyber experts expected, it would be in the wake of a major attack, like that on Colonial, that the US government would introduce new regulations for privately owned and operated critical infrastructure. Indeed, minimum standards for pe- troleum pipeline cyber security were issued in the weeks following the Colonial hack. US companies complying with these new minimum standards may make it more difficult for the GRU to hack its way into the pipeline controls, but hardly impossible for well- resourced and skilled attackers.
“Ransomware attacks by criminals are, however, a lesser threat when compared to the nearly silent campaign by Russian military and intelligence agencies to penetrate key corporate and government computer networks across this country.”
It is highly probable that the GRU has a contin- gency plan to engage in cyberwar with the US, a plan which it could execute within hours of being ordered to do so by Vladimir Putin. To be ready to respond that quickly, the GRU undoubtedly has al- ready penetrated the target networks and created “backdoors,” covert access pathways for destructive malware.
Militaries have contingency plans for a variety of scenarios, most of which never materialize, but it is not unrealistic to think that the US and Russia might someday be in a crisis, or even combat, in which Moscow might want to cripple the US economy through cyber attacks. If that day ever comes, the GRU will not use ransomware at- tacks.
In the long list of companies that have briefly be- come house-hold names because they have been victims of cyber attacks from Russia, one stands out as unique: SolarWinds. The SolarWinds company was not attacked by Russian criminals, and it was not a victim of ransomware. It was attacked by the Russian government,1 which used techniques that were so stealthy that SolarWinds themselves never discovered the penetration in the many months the Russians were inside their net- work. During those months, the Russian SVR altered the code for a software update that SolarWinds then sent to hundreds of companies and government agencies which were SolarWinds customers for network management software. As soon as that software update was accepted by the Solar- Winds customers, their networks, too, were immediately compromised.
A company in their supply chain had been used to attack them. All of those victimized companies and agencies also failed to noticed as the Russians then moved around stealing data and leaving back doors on their networks. Over nine months went by until one day a justifiably paranoid computer securi- ty company, FireEye, noticed something amiss on its network and traced the problem back to the Solar- Winds software they used. Further investigation re- vealed the Russian penetration of hundreds of net- works through SolarWinds, but it could just as easily have never been noticed. Billions of dollars worth of cybersecurity tools on the affected networks did not detect the Russians presence. FireEye’s detection of the attack campaign depended upon one suspicious and diligent human.
What if that human had been a little groggy that day?
Moreover, what makes us think that what the Russian government did to the SolarWinds company, and its customers, was unique? The Russian military penetrated SolarWinds, pivoted to its build process, and then used SolarWinds’ trusted status to spread Russian access among its customers. Was this successful attempt the SVR’s first? Will it be Russian state hackers’ last? There is little reason to think that Russian state-backed actors, other persistent threat groups, and cybercriminals will not seek to leverage software providers as an attack vector in future attacks. There are hundreds, if not thousands, of software companies that regularly send out trusted up- dates to corporate and government clients numbering the hundreds of thousands. The pivotal role of these software in the continuous operation of the US economy and government requires the development of new threat modeling techniques and cyber security practices. SolarWinds was unable to tell when the attacker entered its network, While many software-producing companies may be using the most effective, known techniques to detect manipulation of their products, it is unlikely that other trusted providers are more capable of repelling this kind of persistent, nation- state threat.
The recent cyber attack on Kaseya by ran- somware criminals has caused some cyber experts to infer that the software supply chain attack tech- nique has been in use for a while. There is a pattern in which cyber attack techniques used by a government are eventually mimicked by criminal groups. The software company Kaseya, a competitor to SolarWinds, was targeted by criminals to propagate ransomware on its customers’ networks much the same way that the Russian government hackers used SolarWinds.
Russian hackers learning how to be more effec- tive with time is nothing new. In 1998, I convened the first meeting ever held in the White House Situa- tion Room to respond to a foreign cyber attack campaign. Some group, which I later came to believe was the Russian government, was systematical- ly penetrating US government and corporate com- puter networks, copying and exfiltrating sensitivein- formation. We gave the attack campaign a code- name: Moonlight Maze. The attacks continued for two years. After every attack we discovered, we would attempt to block the attack technique they had used. The attacker would then come back, using a better technique. That cycle continued until one day we no longer noticed them anymore. “Had we finally stopped them?” someone asked. “No, it doesn’t,” an expert from a US intelligence agency replied. “Nobody ever notices us on their networks. They’re just getting as good as we have been.”
The fact that we are not noticing the Russian government’s hackers on our crucial networks does not mean they are not there. It means they are good at what they do. They penetrate and then persist, moving about in ways that no cyber security defense product will notice. Moonlight Maze proved they could do it twenty years ago. SolarWinds proved they can still do it, despite the massive improvement in costly cyber defenses. Biden’s recent Executive Order took some steps towards improving software supply chain security, but this alone is not enough.
The US government has no systematic, public- private program to “threat hunt” in the networks of critical private sector companies. Nor does it have one, integrated effort to find penetrations of sensi- tive government networks. So, while it’s nice that the Biden Administration and Congress have taken notice of Russian criminal ransomware attacks, they need to understand that ransomware is not the biggest cyber threat to the US emanating from Moscow.
About Good Harbor
Good Harbor is a boutique cyber security advisory that advises senior corporate executives, Boards, investors, and government leaders on cyber security issues and manag- ing cyber security risk. Good Harbor provides a range of management and Board-level cyber security advisory ser- vices including the following:
- Briefing Boards and management on the cyber security threat
- Navigating governance challenges for management and the Board
- Delivering risk management assessments, strategies, and programs
- Developing policies and technology roadmaps Preparing to manage cyber crises through incident response plans and crisis simulation table top exercises (TTXs)
- Helping investors and parties to M&A transactions with cyber security diligence, finding value and mitigating risk throughout the investment and M&A lifecycle
The firm is headquartered in Washington, D.C. and is led by former White House advisor Richard Clarke, who ad- vised the last four Presidents, including as Special Advisor to the President for Cybersecurity and National Coordina- tor for Security and Counterterrorism. Most recently, Mr. Clarke served on President Obama’s five-person Review Group on Intelligence and Communications Technologies. He is the author of The Fifth Domain: Protecting our Coun- try, Our Companies and Ourselves in the Age of Cyber Threats.
Good Harbor has advised numerous Fortune 200 clients and companies around the world and across sectors in- cluding financial services, telecommunications, private equity, energy, and insurance. More information is avail- able at https://www.goodharbor.net/.
