A record year for cyber-attacks that impacted society
This week’s cyber-physical news takes a deep dive into recent high profile cyber-attacks, the Biden administration’s response, and a typo in Biden’s executive order!
2021 is already proving to be a record year for cyber-attacks. It’s not so much that the cyber-attacks are particularly sophisticated, but that these attacks are having societal consequences that no-one anticipated. There is also the rise in geopolitical tensions that is evident through the enablers of these cyber-attacks. The SolarWinds attack in which the attackers obtained access to U.S. governmental networks was attributed to Russian state actors. DarkSide is a Russia based ransomware organization, which took responsibility for the Colonial Pipeline attacks. The Biden administration recently came out with a statement accusing China of the recent Exchange cyber-attacks.
Each of these attacks have different fingerprints, and experts have stated that the U.S. government should respond accordingly. While on the surface the Russian and Chinese enabled attacks seem similar, one of the co-founders of CrowdStrike (a leading cybersecurity company) has stated numerous times that the Chinese Exchange attacks were far more disturbing and reckless, than the Russian SolarWinds attacks. Let’s learn a bit more about why this is the case.
What is something that is everywhere, but is invisible (to most)? Different people might call this by different names. But whatever you call it, this is a source of great information, and consequently — great power, for those to whom it is visible. And this is what caused the SolarWinds attacks. In most organizations, securing IT networks is an internal matter. All of us have encountered passwords and two-factor authentication when logging into company accounts. But an organization is as secure as it’s weakest link. And all links are not internal.
SolarWinds is a company that provides software to nearly all Fortune 500 companies and U.S. governmental organizations. One particular product, the SolarWinds Orion platform, provides companies the tools to monitor and analyze their networks. In order for the platform to work properly, SolarWinds had told customers to remove disable antivirus scans on their products. Russian hackers took advantage of this vulnerability that was not accounted for, and compromised the SolarWinds Orion platform, as a backdoor for entering confidential networks of SolarWinds customers.
This was ultimately discovered by the cybersecurity company FireEye on Dec 13th, 2020. The SolarWinds compromise was so subtle, that it was only discovered when security staff found an employee had two registered phone for two-factor authentication verification. When contacted, the employee said they only registered one phone. On further investigation, they found numerous stolen tools to test client defenses, and stolen intelligence reports on active cyber threats. It took a long time to figure out that the origin of the compromise was the SolarWinds Orion platform, out of numerous potential vulnerabilities. This was nine months after the attack breached U.S. federal networks, and was traced back to Russia.
But many cybersecurity experts say that what Russia did is not inappropriate in the modern foreign surveillance landscape. In order to understand why, we need to discuss the attack in context. There are 3 major reasons:
First, the SolarWinds attack was highly targeted, and not reckless. The attackers voluntarily sent a kill switch to 99% of their potential victims, permanently disabling future access. Why did they do this? We don’t know for sure, but it is safe to say it wasn’t because of good intentions. Rather, it was mostly a gamble for remaining persistent and undetectable for a long time, rather than reckless and get discovered immediately. This gamble seems to have mostly paid off during the 9 months they remained in quiet surveillance.
Second, the U.S. has routinely engaged in similar foreign surveillance. From the 1970s, the CIA read encrypted communications of its allies and adversaries by secretly owning CryptoAG, the dominant international maker of encrypted devices, until 2018. It’s clients included Iran, Latin American military organizations, India, Pakistan, and even the Vatican.
Third, a strong retaliation would send the wrong message for future threats, exposing double standards. One of the greatest assets for the U.S. is its democratic ideals. The world (or at least the U.S. and it’s allies) like to think of the U.S. as a tough but fair leader. Thus, the government needs to pick and choose battles wisely. If the U.S. were to sanction foreign states for activities, and then engage in the same activities themselves, that would not be smart for long-term diplomacy. There are multiple occasions where Russia has exceeded its boundaries to harm other nations, including through cyber-attacks. One example was the destructive NotPetya ransom attacks against Ukraine, that spread around the globe, disrupting the operations of millions of computers, and causing billions of dollars in damages. The argument is that these sorts of cyber-attacks should receive more response from the U.S. than the SolarWinds attacks.
What started off as a limited espionage campaign by a Chinese state sponsored group known as Hafnium, turned into compromising of virtually all vulnerable Microsoft Exchange servers in practically the entire Internet. The Hafnium hackers had discovered zero-day (or previously unknown) vulnerabilities in Microsoft Exchange servers. In late February, the hackers came to know that Microsoft was planning to issue an update in March to fix these vulnerabilities. The hackers then took the unprecedented step of scanning the entire Internet for all vulnerable Exchange servers, and compromising them before they could be patched. This was an extremely reckless act that compromised tens of thousands of networks all over the world. To gain ongoing access, they deployed “web shell” scripts, so that essentially adversaries can take control of the shell and get easy access into compromised networks. Microsoft updates do not fix these dangling web shell scripts, unless individual defenders pay attention to their networks. China effectively left the door open for malicious actors to take control of networks including deploying ransomwares which are attacks where attackers hold networks hostage in exchange for millions of dollars.
Colonial Pipeline Ransomware
On April 29th, hackers from a Russian ransomware group, DarkSide gained access into the largest U.S. petroleum product pipeline, owned by Colonial Pipeline (the dark red line in the figure above). On May 7th, an employee saw a ransom note pop up on a computer, and operators immediately made the decision to shutdown their systems, including the pipeline itself to avoid further repercussions. This resulted in a week of gas shortages across the East coast and chaos at gas stations. I personally experienced some cause for concern as we had planned a trip to Florida. Ultimately, Colonial Pipeline did pay the ransom of 4.4 million$ in bitcoin (a majority of which was recovered by the FBI).
There’s the question of how DarkSide was able to infiltrate the Colonial Pipeline networks. Officials from FireEye say that it was through a compromised VPN network password. VPN networks allow users to access private networks through the Internet remotely. But in this case, the VPN was not protected by two-factor authentication. And FireEye found evidence of the leaked password in the dark web (hidden web sites only accessible by a specialized web browser). An interesting possibility is that these hacks were partially enabled by the Chinese Exchange attacks. Cybersecurity experts have pointed out that Colonial Pipeline was using a non-patched version of Exchange when the DarkSide attack happened, among other lapses.
Biden Administration Response
On May 12th, Biden issued an executive order on improving the nation’s cybersecurity. The first section deals with the broad policy direction; identifying that the prevention, detection, assessment, and remediation of cyber incidents as the top priorities. The rest of the document deals with steps in the direction of the policy goals. The 3 primary steps are:
- Removing barriers to sharing threat information: The Federal government regularly contracts with multiple software service providers (like SolarWinds), that have unique insights into threat landscapes in Federal systems. At the same time, there are barriers in sharing information regarding such threats to appropriate agencies like the Cyber and Infrastructure Security Agency (CISA), the FBI, and other intelligence agencies. The executive order aims to remove these barriers to enable more active defenses against threats.
- Modernizing Federal Government Cybersecurity: There’s multiple cybersecurity industry best standards that have not been well implemented across government networks. These include moving to cloud services, and Zero Trust Architectures. Essentially Zero Trust Architectures are giving user credentials (or “Trusting users”) only as far as is absolutely necessary to perform essential roles, and not more.
- Enhancing software supply chain security: Tasking the National Institute of Standards and Technology (NIST) to develop best practices for software supply chain security in coordination with experts from industry, academia, and the government.
Oh and here’s a minor typo I found (agencies mentioned twice):
Just last week, on July 19th, the Biden administration released a statement criticizing the irresponsible behavior of the Chinese government in allowing the Exchange attacks to occur. The document states how the European Union, NATO, and the United Kingdom are joining the U.S. in exposing China’s malicious cyber activities.
In the near future, it is highly likely that these cyber attacks will get more frequent, continuing the trend over the last few years. However, this year shows that our society is not insulated from these attacks. It is essential that societal infrastructures such as energy, transportation, communication, water, etc. are all running continuously and without unexpected disruptions. However, many of these critical infrastructures can be potentially compromised through cyber attacks. I believe that while attacks can’t be forecasted in advance, being prepared can go a long way in ensuring cyber-resilient societies or at least mitigating losses.
If you enjoyed this week’s post, please share on social media or even just one person you think might enjoy holistic perspectives on the interconnections between technology and modern societies. Feel free to also post any comments in the post discussions on the cyber-physical substack page. This is a small, but growing effort and I hope that I can share in my journey in understanding and building resilient societies.