The long tail of the SolarWinds breach
Government and private-sector investigators are racing to run forensics and damage assessments on the SolarWinds breach, but they keep turning up new unknowns, even as the strategic motivations and real impact remain obscure.
Why it matters: The more we learn about SolarWinds, the less we seem to know.
The intrigue: It’s not clear how much of the "SolarWinds breach" is even linked to SolarWinds, acting CISA director Brandon Wales told the Wall Street Journal.
- In fact, "approximately 30% of both the private-sector and government victims linked to the campaign had no direct connection to SolarWinds," said the WSJ, citing Wales.
- Because of the Russians’ use of these unconnected vectors, "this campaign should not be thought of as the SolarWinds campaign," said Wales.
- Malwarebytes, a private computer security firm, has also concluded that “a number of its Microsoft cloud email accounts were compromised by the same group that targeted SolarWinds, using what Malwarebytes called ‘another intrusion vector’” from the SolarWinds backdoor, writes the Journal.
The big picture: The revelations suggest that the access gained into SolarWinds software was only one part in a broader Russian hacking campaign that hit other service providers as well. And the hackers' initial point of entry or ultimate goal remains unknown.
This massive campaign — which has potentially compromised networks tied to the Treasury, Defense, Commerce and State departments — was clearly more proactive and multifaceted than previously known.
- The hackers identified and employed multiple avenues to compromise their targets — and weren’t, it appears, exclusively using the SolarWinds backdoor as their ticket into victims’ networks.
- Indeed, SolarWinds “itself is probing whether Microsoft’s cloud was the hackers’ initial entry point into its network,” writes the Journal.
- Thus, some victims may have been independently targeted via these other Microsoft-related issues, while others were compromised via SolarWinds, which may itself have been breached via its own Microsoft cloud account.
- The Russian hackers had compromised at least one SolarWinds Microsoft 365 account as far back as December 2019, SolarWinds’ CEO told the Wall Street Journal.
Between the lines: The longer this type of campaign goes undetected, the harder it is to determine who was compromised when — and how. And when these causal chains are blurred, it's that much harder for cybersecurity experts to perform necessary damage control measures.
Context: This investigative work is hard enough in the often hazy world of counterintelligence. Investigators look to suss out:
- How did a breach happen? Was it caused by a human or some technological source, or some combination of the two?
- How long has this compromise existed?
- What was the purpose of the campaign?
It only gets tougher in the world of cyber operations because there are so many potential variables to consider.
- Private and public actors use lots of managed service providers like SolarWinds, and each one is a potential avenue for compromise.
- Cyber operators often cover their tracks as they work on achieving persistent access in a network, obscuring the means by which they first got in.
- Once operations like the SolarWinds hack are discovered, the focus immediately turns to worry over what networks the hackers might still be active in and what data might still be exfiltrated. That makes lower priorities out of larger questions about how they might fit into the responsible party's larger intelligence-gathering objectives or foreign policy goals.
The bottom line: Barring some type of extremely well-placed human or other source, getting to something approximating ground truth regarding all the dimensions — technical, tactical, temporal and strategic — of SolarWinds will be very difficult for the U.S. intelligence community.