U.S. WEEKLY offers an in-depth analysis of various geopolitical processes that have direct effect on US’ domestic and foreign policies. This particular analytical column is possible thanks to the cooperation with polish media abroad: Dziennik Związkowy – Polish Daily News, Polishexpress of United Kingdom and WIrlandii.pl of Ireland
Date: 1 February 2021
USA Under Attack – A Living Case of Cyber Warfare
The United States is currently undergoing a significant cyberattack. Among over 18,000 potentially affected users, many have been confirmed to operate within the networks of federal agencies, including the State Department, Treasury, Department of Homeland Security, Pentagon, and Department of Energy. The malware discovered in December has been present in American cyberspace since March 2020, which might have given the invaders enough undercover time to access classified information across both the public and private sectors.
In early December, a California-based cybersecurity corporation, FireEye, noticed that it had undergone a cyberattack. The company tracked the malware’s origin back to a March update of the Orion software. The operating system, developed and distributed by SolarWinds, is used globally by hundreds of thousands of institutions and businesses, including most of the Financial Times Global 500 companies, to detect vulnerabilities in their networks. Therefore, it is inherent to the system to have an ultimate overview of all the processes within a network, both internal and externally, making it a valuable target of cyberattacks.
Once the scale of the breach has been realized, Kevin Thompson, the CEO of Solar Winds, quickly announced the corporation was working closely with FireEye, FBI, and the Cybersecurity & Infrastructure Security Agency (CISA) to investigate the attack, counteract further infection of American networks and, potentially, theft of federal secrets. Furthermore, together with the Director of National Intelligence, the three institutions formed a Cyber Unified Coordination Group, whose sole purpose is to coordinate a holistic response to the incident. CISA has also remained in regular contact with the public and private sector to help them counteract the breach of their data by offering technical assistance and advising best-practices that should strengthen their cyber safety. Although the actions undertaken seem impressively coordinated, one should remember that the information stolen will remain in the hands of the aggressor. In an alert by CISA we can read that “removing [the] threat actor from compromised environments will be highly complex and challenging for organisations.” We also learn that the invader employed “tactics, techniques, and procedures that have not yet been discovered.” It is not, however, the strategy of infiltration used that was not expected; known as the “supply-chain” method, the tactic involves accessing a target’s information via corrupting its reliable, trusted third-party (the Orion software in this case). On the contrary, the attackers gained a crucial strategic advantage by their judicious, silent approach. They did not hurry to extract information as soon as possible – instead, they acknowledged that a more careful and restrained approach ‘today’ will enable better results ‘tomorrow’. The malware methodically analyses the value of each client it reaches with respect to the strength of their credentials, corrupting more and more connections. It meticulously builds a network until a top-priority user with enough accreditations within their organisation’s systems is reached. Then, it extracts classified information without raising any concerns about its legitimacy. Thanks to this method, the attackers managed to prevail in the foreign systems for nine months without the victim even noticing their presence.
This incredibly clever tactic was quickly assumed by American authorities to be a product of a nation-state rather than an independent group of hackers. The complex military-like design and its perfect execution must have required large working capacity and resources. Yet while officials handling the crisis did not point in the direction of any specific country, others did. Experts quickly identified the tactical similarities between the ongoing breach and the one used by Russian military hackers in 2017 against Western companies engaged in business in Ukraine. The virus called NotPetya has been described as “the most damaging cyberattack to date” – whether it will retain this notorious title remains to be seen. Only on January 5 did the U.S. officially associate the breach to the Kremlin in a joint statement by the FBI, Department of Homeland Security, Director of National Intelligence, and the National Security Agency, calling it “likely Russian in origin.” While this accusation, perhaps backed by evidence, is still uncertain and rather diplomatic in its nature, some politicians made bolder claims as early as in December. Those of Mike Pompeo, the State Secretary, and William Barr, the then-Attorney General, proved to coincide with the recent findings, unlike those made by Trump. The former president took a surprising approach to the problem which his administration assessed to be of a “grave risk” to government networks as well as private companies. Not only did Trump never bring the cyberattack to the public debate, but he also accused the media of inflating the severity of the breach. Additionally, he mistakenly put the blame on China.
If content prepared by Warsaw Institute team is useful for you, please support our actions. Donations from private persons are necessary for the continuation of our mission.
According to Chris Painter, the coordinator of State Department’s cyber policy during Obama’s presidency, America’s cybersecurity was not one of Trump’s priorities. On the contrary, the national security team of Biden’s administration has already announced that it will be less tolerant to Russia’s aggression in the cyber sphere. We should soon find out if this means allocating more resources to the research, development, and maintenance of the protective infrastructure, or adopting a stricter diplomatic and economic response on the federal level. However, since cyber operations share more common ground with espionage than with covert military actions, one can never be entirely sure from where an attack comes nor have uncompromised evidence to prove their accusations. This fact largely restricts the scope of retaliatory mechanisms and makes them more vulnerable to condemnation on the international forum or, worse, the initial aggressor themselves – thus giving room for an escalating tit-for-tat.
For now, however, the scale of harm has not yet been evaluated and is unlikely to ever be – just like it was with the impact of George Blake’s betrayal, who spied for the Soviet Union within the British government during the Cold War era. Indeed, the ongoing breach is on many levels similar to traditional espionage. Russian spies are trained for years before being “planted” in the region of interest – so must have been the process of designing and developing the malware. Their main objective in the first months on the enemy’s terrain is to blend in – so did it remain silent for months, literally. This not-yet-named, though certainly worthy of a ‘title’, virus is a masterpiece of intelligence – in both meanings of the word. What the West must now do is to humbly learn the lesson. Moscow is becoming increasingly confident and efficient in their cyber-operations. From trying to hack into the White House and the Democratic Party systems in 2014 and 2015, to meddling in the 2016 American elections, to trying to steal the secrets of the work on coronavirus vaccine from the US, Canada, and the UK in 2020, the reach of Russian hybrid attacks has been truly global and increasingly successful – with the most recent virus present also beyond America in the European Parliament, UK central government and National Health Service, or NATO Support Agency to name just a few. Worryingly, these cases have received disproportionately little coverage from the media.
To prevent a larger-scale supply-chain attack in the future, NATO must ensure to work collaboratively with its members to improve its cyber-resistance. Moreover, it should nudge the less technologically-developed of its states to catch up with the work. Accessing classified information in one country’s government systems may disclose the secrets of other states, too, thus enabling the build-up of an infected network, but this time across federal units. We are yet again reminded that only through unity and mutual cooperation can we protect our liberties and democratic values.
This article was originally published on “Polish Daily News” and “Polish Express”.
Author: Jędrzej Duszyński
Alumnus of Worth School, a British Independent School, where he pursued Sixth Form education on a full academic scholarship. Alumnus and Volunteer at United World Colleges Poland. He gained professional experience during a research internship at Institute of Economic Affairs and a consulting work placement at Oliver Wyman, London. He currently works as a Project Assistant at the Warsaw Institute think tank.
All texts published by the Warsaw Institute Foundation may be disseminated on the condition that their origin is credited. Images may not be used without permission.