Cyberwar – The FireEye and SolarWinds attack

Cyberwar – The FireEye and SolarWinds attack

Cyberwar – The FireEye and SolarWinds attack.

Should Digital Authoritarianism cause the threshold for war to be redefined?

By Philip Ingram MBE

In early December the US based cyber security giant, FireEye detected a breach in what Kevin Mandia their CEO described as, “a nation with top-tier offensive capabilities.” He went on to say, “The attackers tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”

The attackers stole a series of what he described as, “certain Red Team assessment tools that we use to test our customers’ security. These tools mimic the behaviour of many cyber threat actors.” In essence they stole FireEye’s own hacking toolkit but given its customer base of high-level corporates and government agencies, the toolkits would be designed to test these networks and systems.

Whilst investigating the attack his team identified that, “the attacker primarily sought information related to certain government customers.”  More worryingly they identified, “a supply chain attack trojanising SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.”

Some reporting has attributed the attack to a Russian state-sponsored group known as APT 29, or Cozy Bear. However, in 2017 a group of hackers known as the Shadow Brokers published a collection of hacking tools, stolen from the NSA. FireEye have not yet named the actor but speculation it was Russian is rife. A Kremlin official denied that Russia had any involvement.

SolarWinds is a company that provides IT infrastructure management software, ensuring software updates are downloaded and installed automatically and the like.  Many of its customers are large enterprises or government agencies controlling things like critical national infrastructure, power and water grids, nuclear facilities, military facilities and more.

SolarWinds estimated some 18,000 customers had downloaded the trojanised updates enabling the attacker to possibly monitor network activity and possibly steal data and credentials from the infected systems. It could potentially allow the attacker to take control of networks.  The full degree of exploitation hasn’t been made public yet.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an alert detailing what it knows about the breach. “Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST,” they said, adding, “Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult

The CISA concluded, “taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.”

In the UK, SolarWinds clients include the NHS, the Ministry of Defence, Cabinet Office, Ministry of Justice, GCHQ, the Civil Aviation Authority and various police forces. It’s not clear if any of these bodies used the Orion update or if they have been affected. The UK National Cyber Security Centre (NCSC) said, “The NCSC is working closely with FireEye and international partners on this incident.  Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.”

Microsoft has also been affected and identified 40 clients that had been exposed, including some in the UK.  Paul Chichester, NCSC Director of Operations, said:  “This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact. That work is ongoing and will take some time, but simply having SolarWinds does not automatically make an organisation vulnerable to real world impact.”

In a recent speech by the Chief of the Defence Staff, General Sir Nick Carter, at Policy Exchange earlier this year, when talking about attack from authoritarian rivals and extremist ideologies, he said, “Their strategy of ‘political warfare’ is designed to undermine cohesion, to erode economic, political and social resilience, and to compete for strategic advantage in key regions of the world. Their goal is to win without going to war: to achieve their objectives by breaking our willpower, using attacks below the threshold that would prompt a war-fighting response.”

He was describing what he went on to call ‘Digital Authoritarianism’ and said “None of our rivals can afford to go to war as we define it. They want to win below that threshold. However, the stakes are high.”

However, what has never really been defined from a defence perspective is where that ‘threshold’ lies? If the attack had been physical in nature against critical national infrastructure either by a physical team taking control or explosives destroying its operability, then that would likely have crossed that line.

How do you respond to ‘Digital Authoritarianism’ where that authoritarianism has led to data, possibly classified, designs, processes, codes, being stolen? How do you respond where that authoritarianism has allowed a foreign state to have control of nationally critical capabilities to the same extent as if they had people in the control room? How do you respond when physical infrastructure has been destroyed because of manipulated code?

Given that war hasn’t been formally declared since 1939 yet British and allied troops have been in an almost perpetual states of conflict since then end of the Second World War, does that mean that the very underpinning definitions of warfare that General Carter alluded to need to be redefined before we can properly examine our defence and security needs?

What is clear is this latest attack is yet another wakeup call to national cyber vulnerabilities. How many more are needed before we see a greater response? If nation states can’t protect their infrastructure from attacks by other nation states, surely that is a fundamental failure in government?

Cyber, I am sure we will see, will feature heavily in the upcoming integrated Defence and Security review, and rightly so.

 

 

 

 

 

The GRU is on the Ropes

The GRU is on the Ropes

The GRU is on the Ropes

****Updated 1230 on 04 Oct 18*****

At one-minute past midnight on 4thOctober 2018 a statement came out from the British Government saying that the National Cyber Security Centre (NCSC) had “identified that a number of cyber actors widely known to have been conducting cyber-attacks around the world are, in fact, the GRU.”

The GRU is the Russian Military Intelligence organisation also known as the Main Intelligence Directorate who have been accused of being responsible for the assassination attempt on Sergei Skripal in Salisbury in March this year.

Since then, the British Prime Minister Teresa May has openly accused the GRU of their involvement in the attack, saying the two attackers, Alexander Petrov and Ruslan Boshirov had flown into Gatwick on 02 March and out of Heathrow on 04 March and these names were almost certainly pseudonyms.

The investigative journalism website Bellingcat went on to expose the real identity of the man who travelled under the name Ruslan Boshirov as Colonel Anatoliy Chepiga, a highly decorated GRU Officer who had received the Hero of the Russian Federation award in 2014.

In what Philip Ingram MBE a former British Colonel in British Military Intelligence believes is a swipe at the GRU the head of the Russian Foreign Intelligence Service, Sergey Naryshkin, when he said the Salisbury attack was “unprofessionally done.”

Almost sensing the GRU is ‘on the ropes’, openly outed for the Skripal attack, embarrassed by the ease with which investigative journalists with Bellingcat managed to expose serious flaws in the administration of their secret agents and expose the real identity of one of their highly decorated agents, linking him to Salisbury, for the first time, the UK authorities have come out fighting.

What is the GRU accused of this time?

The NCSC has attributed a number of recent attacks to the GRU.  The October 2017, BadRabbit ransomware attack encrypted hard drives and rendered IT inoperable.  This caused disruption including to the Kyiv metro, Odessa airport, but was almost an own goal as it also caused disruption at Russia’s central bank and two Russian media outlets. NCSC assess with high confidence that the GRU was almost certainly responsible.

In August 2017, confidential medical files relating to a number of international athletes, including the cyclist Sir Bradley Wiggins were released.  WADA stated publicly that this data came from a hack of its Anti-Doping Administration and Management system. NCSC assess with high confidence that the GRU was almost certainly responsible.

In 2016, the Democratic National Committee (DNC) was hacked and documents were subsequently published online. NCSC assess with high confidence that the GRU was almost certainly responsible.

Of interest in July 2018 the team of special investigator Robert Mueller named 12 apparent GRU officers over the alleged hacking and leaking of Democratic party emails.

Between July and August 2015, multiple email accounts belonging to a small UK-based TV station were accessed and content stolen. NCSC assess with high confidence that the GRU was almost certainly responsible.

This is not the first time the GRU has been accused.

In June 2017 a destructive cyber attack targeted the Ukrainian financial, energy and government sectors but spread further affecting other European and Russian businesses. The UK Government attributed this attack to the GRU in February 2018.  NCSC assess with high confidence that the GRU was almost certainly responsible.

In October 2017, VPNFILTER malware infected thousands of home and small business routers and network devices worldwide.  The infection potentially allowed attackers to control infected devices, render them inoperable and intercept or block network traffic

In April 2018, the NCSC, FBI and Department for Homeland Security issued a joint Technical Alert about this activity by Russian state-sponsored actors.

The Foreign Secretary, Jeremy Hunt said:

“These cyber attacks serve no legitimate national security interest, instead impacting the ability of people around the world to go about their daily lives free from interference, and even their ability to enjoy sport.

“The GRU’s actions are reckless and indiscriminate: they try to undermine and interfere in elections in other countries; they are even prepared to damage Russian companies and Russian citizens.  This pattern of behaviour demonstrates their desire to operate without regard to international law or established norms and to do so with a feeling of impunity and without consequences.

“Our message is clear: together with our allies, we will expose and respond to the GRU’s attempts to undermine international stability.”

The UK is not alone with accusing the GRU and last night the Australians came out to support the UK statement. Of note, the Australians are part of the 5 eyes community.  This is an intelligence-sharing community of the US, UK, Canadians, Australians and New Zealand.

Timing is of interest as it is almost certainly a swipe at President Putin, waning him off interfering with the US midterm elections due on 6thNovember 2018.

The UK Prime Minister said in Parliament on 5 September 2018, the UK will work with our allies to shine a light on the activities of the GRU and expose their methods.  Her dancing queen speech in Birmingham is turning into her Rocky Balboa attack on the GRU, for the first time she is taking the fight to the Russians.

The announcement this morning by the Major General Onno Eichelsheim from the Dutch MIVD intelligence service regarding the expulsion of 4 GRU agents who were targeting the OPCW in the Netherlands is significant in it shows the international community joining Teresa May in ‘the ring’  helping with the fight against the Russians in an unprecedented way.  Of significance, what is being exposed are some very bad ‘drills’ by the GRU operatives  and this reinforces Sergey Naryshkin comments that the Skripal attack was ‘unprofessionally done.’

Note: This blog is written by Philip Ingram MBE, a former Colonel in British Military Intelligence, who was based near Salisbury and has assessed Russian activity for many years. If you would like any further comment from Philip, please contact him by clicking HERE