With the Kaseya attacks, we have another blockbuster supply chain attack like SolarWinds (the two best articles I’ve read about it so far are here and here). However, there’s one big “improvement” in this attack. It wasn’t conducted primarily for espionage purposes, like SolarWinds, but rather for good old-fashioned financial gain. In fact, the Kaseya attack combined the two biggest cybersecurity threats today: supply chain attacks and ransomware.
I will have a lot to say about the
attack itself in a coming post, but now I want to describe what went through my
mind when I first read about the Kaseya attack on Saturday:
1.
Great, now we have
supply chain ransomware attacks! That means we have to beef up our defenses for
both supply chain and ransomware attacks even more that we’re already beefing
them up – after SolarWinds and Colonial Pipeline. Essentially, the Kaseya
attack is a SolarWinds-style proliferation of Colonial Pipeline attacks.
2.
Kaseya said that “only”
50-60 of their customers had been affected, but some of them were MSPs – and it
seems a lot of the MSPs’ customers were affected as well. So this attack was
even more efficient than Solar Winds, which wasn’t a “two-tier” attack like
this one. Of course, this is a great force multiplier for supply chain attacks.
Each tier of attacks you add can result in an exponential increase in the
number of victims. And when you’re talking about ransomware, you’re probably
talking about some pretty big money, even with “just” two tiers, as in Kaseya.
Who says Russia isn’t making technological progress? We’ll probably have 3- or
4-tier attacks in a year or so.
3.
Of course, we all know
that supply chain and ransomware attacks aren’t a problem that can be “solved” –
only made somewhat less bad than they are. So am I expecting there will be a
lot of improvement, now that we know how serious the threat is? This may shock
you, but…No.
4.
However, there’s one
common trait running through the worst of the recent attacks, including Kaseya,
Colonial Pipeline (which wasn’t technically a supply chain attack), JBS (also
not technically a supply chain attack), and SolarWinds: They all originated in
Russia. SolarWinds was a government job, but the other three seem to be
attributable to the Russia ransomware-for-a-service gang REvil.
My conclusion on Saturday: The
problem of Russian cyberattacks is mushrooming. I thought the fact that – according
to the FBI and CIA - Russia has planted malware in the US power grid and
can cause outages whenever it wants was bad and would prompt some strong
response (or at least an investigation,
for God’s sake). Then I thought SolarWinds would prompt a strong response.
There was a response many months later, but it obviously wasn’t strong enough.
Recently, Biden warned Putin in
Geneva that he had to root out REvil. I’m sure Putin nodded and agreed with Biden
that he’ll do everything he can to discover and punsh such evildoers. But it’s
well known that it’s almost impossible to tell where the Russian cybercriminals
end and the Russian security services begin, and vice versa. Plus the criminal
gangs have provided Putin immense personal help in amassing and protecting the
maybe $50 billion he’s managed to scrape together from his modest government salary
(I hear he clips newspaper coupons all the time). Expecting Putin to crack down
on REvil is about like expecting Donald Trump to give up golf – it just ain’t
gonna happen.
Of course, Putin disclaims any
responsibility for what private citizens may do, and after all he’s just
president, not king. If he can’t find the REvil people, that’s unfortunate.
However, Putin seems to do a great job of rooting out evildoers when the “evil”
they’re doing is speaking the truth about what’s going on in Russia today. Just
ask Alex Navalny, if you can talk to him when they’re not torturing him.
There’s a good historical
precedent for taking strong action against a pirate nation. In the early 1800’s,
the US was subject to “ransomware” attacks from the Barbary states of North
Africa, whose pirates were attacking US ships and holding their crews for large
sums (President Jefferson refused to pay, perhaps because he didn’t have easy
access to bitcoin). We fought two wars with them and beat them. The attacks
ended.
Am I suggesting that we go to war
with Russia over this? No. How about a devastating cyberattack on them, say
bringing down their power grid? Again, no. Any attack like that could lead to
war, and in any case, we’re not going to conduct an attack that could kill
civilians (which shows how ridiculous the idea is that we’re somehow protected
against Putin taking down our grid by the fact that we could take down Russia’s
grid. We’ll never retaliate in kind for a kinetic cyberattack).
There are lots of things we could
do to punish Russia for these attacks. One would be to finally take a step that
was talked about before the SolarWinds sanctions in April: Prohibit US citizens
and financial institutions from holding any Russian debt, not just from buying
newly-issued debt, as was required in April. The April prohibition is ridiculously
easy to circumvent. We now need to do something that’s really going to get
Putin’s attention.
There’s a lot more that could be
done. Perhaps it’s time to freeze all Russian assets in the US or prohibit any
financial transactions with Russian citizens or businesses? Or take some sort
of action to limit Russia’s internet connections with the rest of the world
(although I’m having a hard time thinking of something that couldn’t be easily bypassed)?
Of course, these are drastic measures, and will hurt both American and
especially Russian citizens. Regarding the former, I agree it’s unfair to them,
but it’s also unfair that American companies are paying big money to the
Russian ransomware gangs. Once Uncle Vlad takes serious action against those
gangs (and agrees to end his own security services’ cyberattacks), we can think
about lifting the sanctions.
What’s certain is that these
actions will hurt ordinary Russians a lot. That’s unfortunate, but believe it
or not, Putin is only in power because he keeps winning elections. Sure, they’re
rigged by the fact that he makes certain to keep anyone who might be a serious
threat – like Navalny – from running against him. But he does – or at least did
before Covid-19 – enjoy a lot of support from the nationalists who like to see
him push around the US and Europe (to say nothing of Ukraine and Georgia).
These people need to be made to
understand that inflicting suffering on another nation can go both ways. So maybe
they’ll think twice before they go into the voting booth next time. Even
better, they’ll make it clear that they’re only going to suffer so much in
order to see Putin stay in power. It’s time for him to make plans for his exit.
And if he doesn’t want to leave, he’ll need to take the steps that are required
for Russia to be treated like something other than the pirate state that it is.
And while I’m on the subject of
drastic actions, what about the actions Russia took that resulted in a civilian
airliner being shot down –
by a Russian proxy army – over the Ukraine in 2014? Russia has never been held
accountable for that, or paid – as far as I know – a dime to any of the victims’
families. Even though the Dutch government (the flight was from Amsterdam to
Kuala Lumpur, Malaysia) found in 2018 that the Russians were responsible, and
are now supposedly pursuing “legal actions”. Those are obviously going nowhere
fast.
I said after the plane was shot
down – when there was lots of photographic and voice recording evidence that
this was Russia’s fault, and a Russian MP had already confirmed that it was – that Russian
planes should be barred from all airspace worldwide until the Russian government has paid a fair
amount to every victim’s family, and when all costs to Malaysia Airlines, the
Dutch and Ukraine governments, and other parties have been paid in full. Let’s
do that now, too. My guess is this might speed the “legal process” up a bit.
Let’s stop pretending that pirates
are entitled to some sort of due process, or “fair trial”. If they were
interested in fairness, they wouldn’t be treating the rest of the world like
they are.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. Nor
are they shared by the National Technology and Information Administration’s
Software Component Transparency Initiative, for which I volunteer. If you would like to comment on what you
have read here, I would love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment