Cyberwar – The FireEye and SolarWinds attack.

Should Digital Authoritarianism cause the threshold for war to be redefined?

By Philip Ingram MBE

In early December the US based cyber security giant, FireEye detected a breach in what Kevin Mandia their CEO described as, “a nation with top-tier offensive capabilities.” He went on to say, “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

The attackers stole a series of what he described as, “certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behaviour of many cyber threat actors.” In essence they stole FireEye’s own hacking toolkit but given its customer base of high-level corporates and government agencies, the toolkits would be designed to test these networks and systems.

Whilst investigating the attack his team identified that, “the attacker primarily sought information related to certain government customers.”  More worryingly they identified, “a supply chain attack trojanising SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.”

Some reporting has attributed the attack to a Russian state-sponsored group known as APT 29, or Cozy Bear. However, in 2017 a group of hackers known as the Shadow Brokers published a collection of hacking tools, stolen from the NSA. FireEye have not yet named the actor but speculation it was Russian is rife. A Kremlin official denied that Russia had any involvement.

SolarWinds is a company that provides IT infrastructure management software, ensuring software updates are downloaded and installed automatically and the like.  Many of its customers are large enterprises or government agencies controlling things like critical national infrastructure, power and water grids, nuclear facilities, military facilities and more.

SolarWinds estimated some 18,000 customers had downloaded the trojanised updates enabling the attacker to possibly monitor network activity and possibly steal data and credentials from the infected systems. It could potentially allow the attacker to take control of networks.  The full degree of exploitation hasn’t been made public yet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert detailing what it knows about the breach. “Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST,” they said, adding, “Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult

The CISA concluded, “taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”

In the UK, SolarWinds clients include the NHS, the Ministry of Defence, Cabinet Office, Ministry of Justice, GCHQ, the Civil Aviation Authority and various police forces. It’s not clear if any of these bodies used the Orion update or if they have been affected. The UK National Cyber Security Centre (NCSC) said, “The NCSC is working closely with FireEye and international partners on this incident.  Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.”

Microsoft has also been affected and identified 40 clients that had been exposed, including some in the UK.  Paul Chichester, NCSC Director of Operations, said:  “This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.”

In a recent speech by the Chief of the Defence Staff, General Sir Nick Carter, at Policy Exchange earlier this year, when talking about attack from authoritarian rivals and extremist ideologies, he said, “Their strategy of ‘political warfare’ is designed to undermine cohesion, to erode economic, political and social resilience, and to compete for strategic advantage in key regions of the world. Their goal is to win without going to war: to achieve their objectives by breaking our willpower, using attacks below the threshold that would prompt a war-fighting response.”

He was describing what he went on to call ‘Digital Authoritarianism’ and said “None of our rivals can afford to go to war as we define it. They want to win below that threshold. However, the stakes are high.”

However, what has never really been defined from a defence perspective is where that ‘threshold’ lies? If the attack had been physical in nature against critical national infrastructure either by a physical team taking control or explosives destroying its operability, then that would likely have crossed that line.

How do you respond to ‘Digital Authoritarianism’ where that authoritarianism has led to data, possibly classified, designs, processes, codes, being stolen? How do you respond where that authoritarianism has allowed a foreign state to have control of nationally critical capabilities to the same extent as if they had people in the control room? How do you respond when physical infrastructure has been destroyed because of manipulated code?

Given that war hasn’t been formally declared since 1939 yet British and allied troops have been in an almost perpetual states of conflict since then end of the Second World War, does that mean that the very underpinning definitions of warfare that General Carter alluded to need to be redefined before we can properly examine our defence and security needs?

What is clear is this latest attack is yet another wakeup call to national cyber vulnerabilities. How many more are needed before we see a greater response? If nation states can’t protect their infrastructure from attacks by other nation states, surely that is a fundamental failure in government?

Cyber, I am sure we will see, will feature heavily in the upcoming integrated Defence and Security review, and rightly so.