Expert on SolarWinds breach: 21st Century Espionage
While the investigations into the SolarWinds incident are still at an early stage, there are some things we do know. There are strong indications that this was a state-coordinated endeavour. We asked Professor Panayotis “Pano” Yannakogeorgos, Clinical Associate Professor, Faculty Lead for the new MS in Global Security, Conflict, and Cybercrime from NYU School of Professional Studies (NYU SPS) Center for Global Affairs (CGA), for his assessment on the SolarWinds incident.
Cybersecurity Magazine: The SolarWinds incident is widely regarded as a coordinated “attack“ originating from a nation state – would you agree and if so, what are the indications which point in that direction?
Pano Yannakogeorgos: “The attack most certainly originated from a highly-capable foreign actor. One indicator of thisis the level of restraint and how they’ve gained their access. The information that we can assume was collected over the past months has not appeared on the deep/dark web, nor does not appear to have been monetized. It also did not lead to a digitally damaged infrastructure, via ransomware (that we know of). Overall, stealth access and espionage were the operational objective. A criminal group, hacktivist group or others that may have found the time, treasure and talent to pull off this incident may not have had the same level of restraint as the hackers involved in this case. This leads me think that the most likely actor was a nation-state actor that is highly capable and does not have the requirement to profit immediately from the access.”
Cybersecurity Magazine: Also, consent seems to be that the attack originated from Russia – would you agree, and if so, why?
Pano Yannakogeorgos: “Based on the current publicly available information that we have, I can’t say with absolute certainty. From what has been said by the press, and by high level government officials, it appears to be Russia. However, we also need to keep in mind that we are in very early phases of this investigation. The cyber domain is an ambiguous environment. Sometimes analytical conclusions that appear to be very certain and fit fact patterns of past behavior turn out to be false. For example, when TV5 in France was almost destroyed by hackers, it was initially thought the perpetrators were affiliated with the Islamic State. They weren’t. Similarly, the US and UK had been tracking what were thought to be hackers of Iranian origin. Months after this mis-attribution, it turned out to be Russian hackers who had hacked the Iranian operational infrastructure and used it to masquerade under false pretenses. This indicated a highly sophisticated capability on the Russian side. So, they absolutely have the capability to compromise SolarWinds as well. It’s still too early to attribute the perpetrators, but with the information we currently have, we think it’s a Russian operation.”
Cybersecurity Magazine: There are rumors that this sort of hack could not have been done without some help from inside – what do you think went wrong for this hack to happen and also to go unnoticed for apparently a relatively long time?
Pano Yannakogeorgos: “We can’t be certain of any rumors until a full investigation is complete. It would not be surprising if there is an insider caught up in the middle of this. Either witting (having been coerced, blackmailed, or otherwise induced to act on behalf of an intelligence service) or unwitting (having clicked on an phishing email). The latter seems to be unlikely given the technical indicators would have set off alarm bells. If this was an insider event, it will take time for law enforcement to do its job and collect the evidence needed to identify and prosecute the hypothetical insider.”
Cybersecurity Magazine: SolarWinds is a relatively small company, whose software nevertheless has been widely used and apparently even been white labeled by other companies. In complex IT environments, software solutions like SolarWinds have become crucial puzzle pieces for managing and operating those environments – are these puzzle pieces specifically at risk for becoming the target for these kinds of attacks?
Pano Yannakogeorgos: “These are high-value targets, and will always be targeted by threat actors. The real challenges is that these companies are facing highly capable nation-state level threats that can spend years to decades developing access, and dedicate billions of dollars to developing their capacity to conduct cyber espionage with stealth and prevision.”
Cybersecurity Magazine: Microsoft apparently hit the kill switch for the hack with some swift and drastic steps. Will we see more tech giants pulling the plug from these kinds of attacks, as opposed to governments doing the same? How much are countries relying on (or being dependent on) the tech giants to fight as their “cyber army“?
Pano Yannakogeorgos: “The private sector in the United States owns a good chunk of the global cyber infrastructure. Because of this, many companies also have the capability to dismantle that infrastructure in parts of cyberspace that are being misused. That said, they do not have permission to do so outside the bounds of the rule of law. Microsoft has a history of cooperating with other companies and with threat intelligence sharing groups to coordinate activity, as well as helping to develop evidence that is presented in court. They are a company that is able to receive legal authorization to take down the infrastructure when they need to. I think its process is mature, and should be looked at as a model for being able to coordinate responses to breaches at the speed countering cyber threats requires.”
Cybersecurity Magazine: How much of this cyber activity on the nation state level is really going on? This time it has been Russia which has been caught, but are we (i.e. the western countries) doing the same?
Pano Yannakogeorgos: “With the various leaks, like the Snowden documents, Shadow Brokers, and Vault 7, it’s easy to see that Western countries are just as involved in cyber espionage as any other country. What’s important to keep in mind is what happens after a successful cyber espionage operation. How we respond is important. Governments who weaponize their access points – in order to “burn cyberspace,” -as we saw in NotPetya, should be discouraged unequivocally.”
Cybersecurity Magazine: What can we and are we doing to prevent these sorts of incidents in the future?
Pano Yannakogeorgos: “Prevention is the key term. Unfortunately, our current cyber supply ecosystem is defined by systemic proliferation of vulnerabilities due to the complex interaction between software, hardware and firmware. Both the private and public sectors throw a lot of resources into bolting on cybersecurity tools that are not guaranteed to work. Additionally, a lot of resources are spent in responding to and recovering from disruptions. To truly prevent cyber incidents like this, there needs to be a coalition of like-minded democracies to ensure that our cyber ecosystem is secure by design. No effort will completely eliminate the threat from a sophisticated nation-state actors to exploit and gain access to a high-priority targeted system. What a secure by design ecosystem can do is eliminate the ability of less sophisticated actors in creating impacts, which will enable the defenders to focus their attention on disrupting threat actors higher up on the capability chain.”