Thursday, October 28, 2021

The Russians are at it again

 

It seems that Nobelium, the wonderful Russian government-sponsored attacker group that brought you SolarWinds, hasn’t been deterred by President Biden’s threats – or mollified by his entreaties - to Vladimir Putin. Microsoft reports they’re now conducting a large-scale campaign to infiltrate cloud service providers and IT services organizations, and they’ve already had some success at it.

Of course, they’re not primarily interested in those organizations themselves, but their customers. As we all have known for a while, Russia long ago gave up on the idea of attacking targets like critical infrastructure and government agencies using full-on frontal attacks. They know that the organizations they’re most interested in attacking have all figured out what they need to do to keep themselves safe from those attacks.

But what we haven’t figured out yet – and I’m not sure we’re learning too quickly, either – is how to protect ourselves against supply chain attacks. There are so many possible vectors for those attacks, and the average organization has so many suppliers that they trust in lots of ways, that it will be a long time, if ever, before we’re as protected against supply chain attacks as we now are from frontal attacks (the only other cyberattack category that’s increasing recently is phishing, which is the main vector for ransomware attacks. But Kaseya showed that it’s possible to realize huge efficiency gains in ransomware attacks by running them through the supply chain as well. The single penetration of Kaseya led to at least 1500 organizations being compromised. Talk about ROI!).

But I’m not writing this post just to marvel at how clever the Russians are. I’m really writing it to wonder how long we’re going to wait before we hit the Russians with some really strong sanctions for their various acts of piracy. And here, I’m not just talking about recent cyberattacks. I’m talking about shooting down a civilian airliner in 2014 and causing $10 billion worth of damage with the not Petya cyberattack in 2017 (which was a supply chain attack on the Ukraine that ended up getting a little out of hand. You know how those things go…).

The Russians haven’t paid a dime of restitution for either of those attacks. Let’s start with them. And if that doesn’t deter the Russians, we can look at retaliation for SolarWinds and many more recent attacks (including the fact that, according to the FBI and CIA’s Worldwide Threat Assessment in 2019, the Russians have penetrated the US grid – and this obviously means Control Centers – and could cause outages at any time. This charge has never even been investigated, by the way. It seems that investigating Russia wasn’t a good career move in Washington in 2019 and 2020. The question is whether that’s still the case in 202).

Let’s start with the airliner. There’s no question the Russians were behind that, even though it was one of their proxies that pulled the trigger. Let’s do what we should have done then: ban Russian planes from all international airspace until they pay say $5 million to the family of all 293 passengers and 15 crew members who were killed. And until they’ve paid the full costs of the Malaysian and Dutch governments for property damage, and especially the costs of investigating the crash.

Then we’ll start with the other attacks. By the time they’ve paid for those as well (and suffered other sanctions like ending Russian bond sales in the US), maybe Uncle Vlad will be a little more cautious about his attacks in the future.

As they say, tragedy repeated is farce. 

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they shared by the CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment