Sunday, January 31, 2021

We need to regulate these guys – SolarWinds edition


There’s lots of good information coming out about the SolarWinds attacks, as well as others that were very likely carried out by the Unnamed-threat-actor-that-sure-sounds-a-lot-like-it’s-Russia, whoever that may be. All of this, along with information about other attacks (not all by Russia) that was made public long ago, points to the need to start regulating a bunch of tech companies that I hadn’t thought of as being part of the country’s critical infrastructure – until SolarWinds caused the scales to fall from my eyes. I’ll deal with SolarWinds in this post, and the other companies in a post in the near future (although tomorrow's topic is going to be different).

There’s been a lot of discussion of the SUNBURST malware, which was spread by SolarWinds updates and provided the backdoor that the Russians exploited to penetrate a lot of important networks, especially US government networks. Like most malware, SUNBURST used the “pray and spray” method of cyberattacks: a) attempt to get the malware into as many organizations as possible (which ended up being “only” 18,000, as SolarWinds said in their memorable SEC filing the day after the attack was announced); b) wait until the phone home beacons start appearing; c) choose the juiciest targets (hint: the National Nuclear Safety Administration is juicier than Joe’s Heating and Cooling Supply); and d) get to work reaping the fruits of their labors – which turned out to be abundant in this case, of course.

In the SolarWinds attacks, the benefits the Russians were looking for seem to have been limited to national security espionage. The Russians could easily have followed their normal pattern of creating as much chaos and destruction as possible – as in the 2016 US elections and especially NotPetya, which was a supply chain attack aimed at all businesses in the Ukraine. NotPetya had no goal other than bricking as many machines as possible as quickly as possible. It succeeded wildly not only in the Ukraine but even more so in other countries like the US and Denmark, where it almost sank (pun intended) Maersk, the largest ocean shipping company in the world.[i]

Fortunately, the Russians – perhaps out of some sense of pity for the American people, or more likely because they suspected a new sheriff might be coming to town, who would be much less forgiving of little foibles like SolarWinds or paying a bounty to kill American soldiers in Afghanistan, than was the previous sheriff – decided not to take the destruction route. Thank God for small favors, as my former boss used to say.

But there has been very little discussion of the SUNSPOT malware, which the Russians wrote to attack only one company: SolarWinds. And this malware wasn’t designed to do anything like what SUNBURST did: provide a backdoor so the Russians could exfiltrate lots of data from SolarWinds. It was designed to penetrate SolarWinds’ software build process and plant SUNBURST in software updates, so that SolarWinds would then kindly distribute them to their customers. And that attack succeeded brilliantly.

In fact, I nominate SUNSPOT as the second-most-sophisticated piece of malware ever written – after Stuxnet, which was created by the US and Israel to attack Iran’s uranium enrichment program, and also succeeded brilliantly (and it might even be ahead of Stuxnet. I’m certainly not in a position to judge between the two).

You can read the full story of SUNSPOT in this article by CrowdStrike, which worked with SolarWinds to analyze the malware and the attack. But here are some highlights, which relate to the subject of this post:

1.     The Russians first penetrated the SolarWinds software development environment in September 2019 – i.e. 15 months before SolarWinds or anyone else knew there was a problem.

2.      Like any good organization about to make a risky investment, the Russians first executed a test of a “beta” version of SUNSPOT. They wanted to see if they could in principle place a piece of software code in the SolarWinds Orion platform, so that it would be included in subsequent updates shipped to SolarWinds customers. They did this using a completely benign piece of code and the gambit worked perfectly. Just like later on with SUNBURST, SolarWinds had no clue this was happening. In fact, as with SUNBURST, this test code was inserted in multiple releases of the Orion platform, not just one.

3.     With the concept proven, the Russians started to build the final version of SUNSPOT, probably testing it in their own environment. About four months later in February, the Russians compiled and deployed this malware in the SolarWinds software build environment.

4.    The most important feature of SUNSPOT was that, just like Stuxnet, it was built assuming there was no possibility for any real-time intervention by the Russians in the software build process. The software had to act completely autonomously; yet it had to quickly adapt to any change in the environment. This was even harder than it sounds since, while SolarWinds wasn’t specifically looking for signs of an intruder inside the build process, the slightest change in the environment – such as a hash value for one of the Russians’ files (which were always named with names that matched files used in the build process itself) not matching exactly the value for the same file the previous day - would have set off alarms just in the normal build process. This would likely have led to SUNSPOT being discovered and the end of this whole affair (and we’d all have written about how astute SolarWinds was in heading off at the pass what could have been a series of devastating attacks on important government agencies).

5.     I won’t go into all of the brilliant features in SUNSPOT, but I’ll mention one: SUNSPOT was designed to surmount what may have been the biggest problem the Russians faced at SolarWinds: The software build process for the next Orion release went on for months, but neither the Russians nor SolarWinds had any idea exactly how long it would take. Moreover, the process was shut down and restarted every morning, and there was no way to know in the morning whether today might be the day that everything in the new build worked perfectly. If that happened, the SolarWinds engineers would probably decide to release the code as it stood at the end of that day. This meant that SUNSPOT needed to wipe away all traces of its activity every evening, once it became clear that the build process was about to shut down for the night without having produced the final product, since the slightest discrepancy – for example in the size of a file – would have alerted SolarWinds that something was wrong.

6.     Yet the next morning, SUNSPOT had to recreate everything that had been wiped away the previous evening, to prepare for the possibility that today would be the day that the code was declared ready to ship. This whole process is described in great detail in the CrowdStrike article. The important point is that all of this had to be done by SUNSPOT alone, without any prompting or guidance from the Russians - who had no real time visibility at all into the software build process. Just as the Americans and Israelis who created Stuxnet couldn't control it in any way once it was inside the Natanz uranium enrichment plant, which was completely air-gapped from the rest of the world (well, not quite. It turns out contractors were allowed to bring USB sticks in to aid their work, and that's how Stuxnet got in in the first place. It was also a classic supply chain attack, although different from SolarWinds).

7.      Despite these challenges, when SUNSPOT was deployed last February it worked perfectly. The SUNBURST malware was planted in about seven releases of the Orion platform, before the Russians decided to remove it from the build environment and cover all of their traces last June. I guess they figured that, with 18,000 infected targets, they just didn’t have enough good cyber resources available to exploit all of them, let alone any new ones that might be added. An embarrassment of riches, it seems.

What’s the lesson of all this? SolarWinds really dropped the ball. Sure, this was an unprecedented attack that nobody saw coming. But it’s impossible to believe there was no way they could have detected the Russians in their network during the 15 months between when they first entered and when SolarWinds learned about it. Unforunately, SolarWinds only learned they had been penetrated when the rest of the world learned it: after FireEye discovered they’d been compromised through SolarWinds last month.

It’s also impossible to believe there’s no way SolarWinds could have learned that their development process was compromised, when there were about 5-6 months during which one or the other of the two pieces of Russian code (the benign test code and SUNBURST) was being inserted into every Orion update that left their shop.

Do I know how SolarWinds could have detected – and presumably stopped, since that would have been very easy had their presence been known – the Russians? No I don’t. But there’s one thing that I do know (although only with hindsight, I’ll readily admit): SolarWinds, in accepting license fees from huge companies and important government agencies like DoE, DHS and NSA, should have been paying a lot more attention to cybersecurity than they did. They were clearly fat, dumb and happy and on top of the world – until they weren’t.

Companies like SolarWinds are really critical infrastructure organizations (again, I say this with hindsight. I wouldn’t have said it at all two months ago). The entire public has a stake in their safe, successful operation; that stake goes well beyond the license fees that SolarWinds earns. SolarWinds can’t hide behind the “Well, if you don’t like our product, nobody’s forcing you to buy it” rationale. Just as with public utilities, the public has a big stake in SolarWinds’ safety and stability. The Northeast Blackout of 2003 showed that protection of electric reliability is too important to leave up to the utilities on their own, and the SolarWinds attacks show that protection of network integrity in federal agencies is too important to leave entirely up to providers like SolarWinds. There needs to be regulation to make sure SolarWinds and their ilk do all they can to protect that network integrity, just like there are regulations to make sure electric utilities do all they can to protect electric reliability (including cybersecurity).

As an economics major at the University of Chicago a fairly long (I’ll admit it!) time ago, I was fortunate enough to take two courses on microeconomics[ii] with Dr. Milton Friedman. While there was never a doubt that he was in favor of capitalism and free markets, he always made it clear that in some cases purely market mechanisms can’t adequately protect consumers against common threats. The main case in point at the time was air and water pollution, since the EPA had just been created by – believe it or not – Richard Nixon. Friedman pointed out that there was no way that individual consumers, or even individual companies, could use market power to protect themselves against most pollution threats; there needed to be regulation.

The same reasoning applies today.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.


[i] BTW, NotPetya caused $10 billion in losses, but have the Russians ever been approached about paying a penny of that in damages to any of their victims? Certainly not that I know of. This might be surprising, unless you consider the case of flight MH17. Not only have the Russians not paid a penny for that either, but I know of no concerted effort by any government to force them to pay anything at all. Once it became clear the Russians were responsible for this, I would have banned Russian aircraft from all international airspace until the government had paid all just claims – both from individuals and governments – from this attack, as well as billions in punitive damages to some agreed-upon international organization. Of course, that might have meant Putin couldn’t build his $1.5 billion palace with an indoor hockey rink, that Mr. Navalny has graciously revealed to the Russian people. But with an estimated net worth of at least $25 billion (and maybe much more), Putin could have paid the entire damages out of his own pocket and still had money on hand to assure a comfortable retirement – although in a just world his retirement will be spent in a government-paid cell deep in some prison somewhere.

[ii] Which at the time was called “price theory” at U of C. What other schools called macroeconomics was “monetary theory”. I don’t know what terms U of C uses now.

No comments:

Post a Comment