Atlantic Council’s Cyber Statecraft Initiative on Sunburst and SolarWinds
December 2020 by Trey Herr, Director, Atlantic Council Cyber Statecraft Initiative
The Atlantic Council’s Cyber Statecraft Initiative has provided the following expert insights on the impact of the Sunburst incident.
Trey Herr, Director, Atlantic Council Cyber Statecraft Initiative reacts:
“The supply chain attack that is being investigated now is one of the most significant cybersecurity incidents ever to impact the federal government, on par or more impactful than the OPM breach and comparable to the Moonlight Maze attacks on the Department of Defense in 1999.
“The response within the federal government will dominate cybersecurity activity for much of the first half of the incoming Biden-Harris administration. Plans are being rewritten and priorities dropped to resource the investigation and response of this event. It will change the perception of the cybersecurity landscape the Biden-Harris team inherits.
“Software supply chain attacks are not new, and SolarWinds is not unique. While hardware supply chain security and 5G have dominated discussions, organizations’ dependence on software is unique, particularly updates to fix bugs and patch security holes. The breach of SolarWinds demonstrates the tremendous power of attacks on the software supply chain. By gaining access to one company, attackers were able to spread – using that company’s trusted relationship with its customers – to upwards of 18,000 organizations.
“The kind of access to federal networks including Commerce, Treasury, DHS, and DoD, that has been described would provide insight on strategic decision-making, advance warning of sanctions, and rulemaking. While no one has yet publicly reported there was a compromise of classified networks, what attackers appear to have had would effectively be a means to read the mind of an organization, comparable to well-placed human intelligence sources.
“The policy and security community should also be paying attention to the security of SaaS products like Office 365. SolarWinds’ product appears to have allowed the initial access to networks at places like DHS, but there are indications it was attacker’s ability to manipulate the identity and access management tools of Office365 to spread like wildfire across federal and private sector networks.
“This doesn’t suggest Office365 is radically less secure than competitors; the 2019 Capital One data breach was partly a result of failures to properly configure, monitor, and manage the complex identity and authentication tools provided by Amazon Web Services. It does suggest cloud security should not be taken as guaranteed and deserves more scrutiny from policymakers and large cloud customers and transparency from vendors.”
Key Takeaways from Breaking Trust: Shades of Crisis Across an Insecure Software Supply Chain (July 2020):
· Software supply chain attacks remain popular, despite improvements in cybersecurity
· Attacks on software updates are especially pernicious because they undermine user’s trust in a key channel for updates and security fixes.
· These attacks are still effective, giving attackers access to critical infrastructure companies like electrical power and nuclear enrichment
· States like Russia, China, North Korea, and Iran attack the software supply chain as part of their offensive cybersecurity efforts
· Software supply chain attacks are getting worse over time. They threaten cloud services used globally and organizations both large and small.
· This report spans 2010-2020, covering 82 attacks and 33 vulnerability disclosures with an unprecedented amount of data freely available on our website for anyone to explore
Stats & Trends:
· Over 2010-2020 there were at least 27 different state attacks against the supply chain including Russia, China, North Korea, and Iran as well as India, Egypt, the United States, and Vietnam. Examples: CCleaner, NotPetya, Kingslayer, SimDisk, and ShadowPad.
· During this time, there were 31 different incidents that involved hijacked software updates. Updates are the most sensitive step in the supply chain – they are the only way for developers to patch bad code. Hijacked updates remained a consistently popular way to attack software supply chains over the last 10 years despite industry efforts to secure them. Examples: Flame, Stuxnet, CCleaner 1 and 2, NotPetya, Adobe pwdum7v71, Webmin, and PlugX.