Sunburst: a Pearl Harbor Cyber?

(To Ciro Metuarata)
21/12/20

In a few years, when the current terrible pandemic is finally under control, 2020 will not only be remembered for the explosion of the COVID-19 infection and its dire consequences, but it will also probably represent a milestone for scholars and for professionals (as well as for the curious like me) of the cyber dimension, following a story that is taking on the contours of one of the most unscrupulous spy-story of all time success. The reference is to the cyber attack suffered by the US IT company Solarwinds, whose products, distributed globally, have been used as "trojan horses" to penetrate the networks and systems of companies and government agencies around the world, the real targets of espionage.

In jargon, this type of attack is called "supply chain cyber attack" and, in reality, behind these high-sounding and apparently complex terms, there are modern declinations of espionage techniques that have existed for a long time: the security of the target is indirectly compromised , attacking the relative "logistic chain", that is a good or a service legitimately provided by a third party (typically a company). In the cyber field, these are IT goods or services that no company or government body can do without to carry out its tasks.

A striking example of this type of cyber attack is the operation that the National Security Agency, according to former collaborator Edward Snowden, would have put in place for years by ensuring that network devices produced by a leading company were distributed on the market. worldwide, specifically modified by the Agency, in order to be able to intercept and retransmit all communications processed by these systems. Or, the incredible story of Crypto-AG (v.articolo), a company based in Switzerland that has produced and distributed cipher machines to countries both belonging to NATO and outside the Alliance (for a total of 130 governments!), also modified in order to allow US intelligence and German to intercept classified communications from "friendly" countries and adversaries for over 50 years!

Finally, another example of supply chain cyber attack it is made up NotPetya, a devastating malware, "inoculated" in 2017 in the update of a very popular business management software in Ukraine (v.articolo). In this regard, if it is true that it will probably never be possible to quantify the real impact of these operations, it is certain that, given the high number of objectives involved and the duration of the offensive activity carried out, in all cases it is a question of an immense amount of information intercepted or destroyed, with very serious damage to the safety of the victims. The same scenario is also emerging for the attack a Solarwinds as they are filtering the details (obviously those who want to know) of the ongoing investigations.

Could it be the cyber equivalent of the attack on the naval base of Pearl Harbor in 1941, that is, a hostile act so vast and with such serious consequences, that it implies an unprecedented response, perhaps it does not develop only in the cyber dimension? What will happen now?

Let's proceed in order. A few days ago the company FireEye, a leading company in the field of cyber security, has announced that it has been the victim of a serious cyber attack which, among other things, would have allowed the exfiltration of some software developed to carry out security tests on behalf of its customers (v.articolo). In particular, it was learned that this attack was carried out using an update of the Orion system Solarwinds artfully compromised, that is, apparently "genuine" but, in reality, modified to allow it to penetrate FireEye systems and networks. This detail of the attack, once known, has consequently widened the horizon of the investigations also to all the other companies and state bodies that use the same services of Solarwinds, targets that may have been hit since last March, the period from which the distribution of the fraudulent update in question dates back.

The list of victims is enriched by the hour on the basis of the analyzes in progress on the evidence collected and now includes thousands of public and private subjects distributed globally (we are talking about over 17.000 victims), in most cases however concentrated in the USA . Therefore trying to provide an updated list leaves the time it finds. However, without fear of being proven wrong, it is possible to affirm that in many cases these are government bodies belonging to even crucial sectors (such as, for example, the US Department of Energy) and leading companies on a global scale that, in turn, they provide products and services. In particular, once their Orion systems were updated with the modified software, the attacker was able to introduce himself into the networks of the targets and in many cases he took control of them, launching further attacks by exploiting the "breach" opened in the defensive systems of others.

At present, neither the data stolen in this way nor the further consequences of the attacks are known, as particularly sophisticated techniques have been used to deflect investigations (in jargon, to "obfuscate" the clues). This detail, together with the programming techniques used to make the compromised SolarWinds update, in the meantime dubbed SUNBURST, appear as original, are believed to be indicative of the attacker's very high level capabilities. Yes, who is behind this daring operation?

As usual, the investigations do not allow to attribute the authorship of the espionage action with certainty, however it is certainly an organization in possession of enormous resources (expert technical personnel, financing, planning personnel, infrastructures, etc.) belonging to a government or necessarily sponsored by a nation. Or it could be a criminal group that offers services to the highest bidder, which has become the leader of the information black market in Dark web, the "dark side" of the Internet. Who can tell? None with absolute certainty.

Some analysts and exponents of the current US administration believe that the hacker group known with the code names APT29, Cozy Bear, CozyCar, CozyDuke or Office Monkeys, which is allegedly linked to the Služba Vnešnej Razvedki (SVR), the Russian foreign intelligence service (which celebrated its first 19 years of history on December 100) and which boasts a particularly substantial curriculum of sophisticated cyber operations. However, the government of the Russian Federation promptly denied any involvement.

The investigations have just begun and, as almost always happens in these cases, it is unlikely that sufficient evidence will be collected to identify the culprits with reasonable certainty and to punish them criminally. It will also be very difficult to quantify the damage suffered by the victims and to know what happened to the stolen information, or rather "copied", without anyone noticing. Ultimately, it is not possible to completely reconstruct all the operations that the attacker carried out during the approximately eight months of "stay" in the systems and networks of the victims.

This scenario has led some observers to draw a disturbing conclusion: we will have to deal with the consequences of this attack for many months or years, as the attacker may have disseminated the networks and target systems of other malware. In fact, if it is true that this is a particularly experienced and efficient group, the analysts point out that the eventuality that the transaction was discovered was certainly planned in advance and, therefore, they believe that all the measures aimed at continue the espionage campaign, anticipating the countermeasures of the victims.

The last aspect of the story, perhaps only apparently secondary, is the financial one: Solarwinds it is a publicly traded company and such an attack could be fatal to its reputation and, therefore, to its future. Furthermore, it seems that there are those who have managed to make a profit above the whole issue, making market movements more than suspicious.

In conclusion, punctually, every year in this period we find ourselves on these pages to make final reports on cyber security, from which scenarios with increasingly dark colors arise. Every year the "bar" is moved higher and higher, dangerously approaching the threshold of the real clash between states and technological limits are inevitably demolished, often exceeding the imagination itself. In this context, if on the one hand society becomes increasingly dependent on the cyber dimension, on the other hand this has now become a hunting ground totally devoid of rules both for governments and unscrupulous criminal groups.

The prey of this relentless hunt is information which, in an increasingly interconnected world, constitutes the keystone for dominating it from a military, financial, economic, scientific, technological or political point of view. Those who have not yet understood it or those who do not want to accept this reality are destined to succumb.

Happy 2021!

References

https://www.corrierecomunicazioni.it/cyber-security/crypto-ag-cyber-scan...

https://www.ncsc.gov.uk/collection/supply-chain-security/supply-chain-at...

https://www.infoworld.com/article/2608141/snowden--the-nsa-planted-backd...

https://www.govinfosecurity.com/solarwinds-supply-chain-hit-victims-incl...

https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-cus...

https://www.wired.com/story/cozy-bear-dukes-russian-hackers-new-tricks/

https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybers...

https://www.ilpost.it/2020/12/18/attacco-hacker-stati-uniti/amp/

Photo: NASA