The SolarWinds Hack and the Perils of Attribution
The broad and ongoing compromise of U.S. government and corporate networks has yet again affirmed a truism of conflict and espionage in the digital age: Identifying who is behind cyber intrusions is both exceptionally difficult and politically fraught.
On Tuesday, the Cyber Unified Coordination Group, the multi-agency task force stood up by the U.S. National Security Council to investigate and respond to the SolarWinds compromise, issued a joint statement alleging that hackers “likely Russian in origin” were behind the intrusion, offering the first official indication that the government believes the attacks were ordered by the Kremlin.
But nearly a month after the compromise was first detected, none of the private security companies that are leading the investigation into the intrusions—and often provide the forensic data necessary to identify the perpetrators behind state-sponsored cyber-campaigns—have definitively pinned the blame on Russia, let alone any specific group of Russian cyber operators.
The Record contacted many of those companies to ask what makes the ongoing intrusion so difficult to attribute, how confident they are about who did it, and whether they think attribution is forthcoming. Many were tight-lipped, only offering to speak off-the-record about an ongoing investigation. But cybersecurity experts and people who have studied the compromise said that they expect the attribution of the SolarWinds campaign to be a slow, methodical process—and one that carries big risks given the stakes.
“Attribution isn't like detective movies—there isn't always a Eureka moment,” said John Wetzel, a threat intelligence expert at Recorded Future who published a report last Thursday that cautioned observers against racing to judgment on the SolarWinds campaign without more definitive evidence.
“Analysis is more than one smoking gun and different analysts can come to different conclusions based on the totality of information,” continued Wetzel. “And that is okay.”
How Companies Attribute
Cybersecurity experts who have studied the SolarWinds intrusion said that the hackers behind the campaign demonstrated an exceptional degree of care and skill to avoid raising forensic red flags once they slipped into victim networks, making it hard for analysts to identify them.
But the inability to prove that the group privately alleged to be behind the hack—the SVR, Russia’s foreign intelligence service—is actually responsible for it may also speak to one of the common dilemmas of cyber attribution, explained Joe Slowik, a researcher at threat intelligence company DomainTools LLC: the less one sees a group, the less one is able to recognize it.
"Attribution isn't like detective movies—there isn't always a Eureka moment... Analysis is more than one smoking gun and different analysts can come to different conclusions based on the totality of information, and that is okay."
— John Wetzel, a threat intelligence expert at Recorded Future.
“We’re looking at something that just looks and behaves differently from what we have historically associated with APT29,” said Slowik, referring to one of the names used by industry to identify hackers working for the SVR. "Part of the problem is that APT29 has gotten a little fuzzy over the years, as they have not been as active in terms of publicly revealed and documented activity.”
Slowik, who is not working directly on the attribution of the ongoing intrusion but has written extensively on the subject, also pointed out the gulf between the way private companies and the general public think about attribution.
Threat intelligence companies are primarily concerned with “how”-based attribution, which uses historical threat behavior to identify hacker groups, said Slowik, whereas the public values “who”-based attribution, where one identifies the culprits behind a given campaign.
That type of attribution takes longer for the private sector to arrive at because it requires a high evidentiary standard yet identifying who the attackers are is not necessarily a priority for defenders, explained Wetzel.
“Clarity for some—maybe based on the combination of targets, tooling, and motivation—isn't consensus for all,” he said. “Good defense identifies gaps and prioritizes them, based on attacker actions. For defense, the ‘why’ and ‘how’ are more important than the ‘who.’ ”
Tracking the Hackers
One of the most important, and overlooked, parts of the attribution process is the collection of digital forensic data.
Cybersecurity companies have differential visibility into cyber campaigns based on a wide array of factors, including the size and nature of their client base, software, access to third-party data sources, and how large of a footprint hackers leave.
While the backdoor inserted into SolarWinds’s Orion enterprise management software was delivered to roughly 18,000 of the firm’s clients, the hackers behind the intrusion have thus far exploited that back door on only 250 networks, according to the New York Times.
The two firms with the greatest visibility into the SolarWinds campaign are likely FireEye and Microsoft, analysts say. FireEye and Microsoft work with the type of high-value clients the hackers have targeted, and the firms have been collaborating on their investigations, suggesting they may have been able to share data, knowledge, and expertise across their networks.
Ironically, the intrusions into those two firms may also have given them a leg-up in the investigation, offering a first-person view of who the intruders are and what type of information they are interested in. No other intelligence company involved in the investigation has reported being breached, though both Palo Alto Networks and CrowdStrike were targeted, according to statements by both firms.
Neither Microsoft nor FireEye would comment on their investigations for this story, but executives at both firms have made public remarks that suggest they are further along in their analysis than other cybersecurity firms.
Last month, in an appearance on Face the Nation, FireEye CEO Kevin Mandia stressed that the company needed more time to get to “100% confidence” on attribution. When pushed, he conceded that the attack was “very consistent” with Russia’s SVR.
In a blog post in mid-December, Microsoft President Brad Smith used the attack to call for a “moment of reckoning” on cybersecurity. Smith did not name the suspect in the ongoing case, but the statement cited past Russian digital attacks five times. By contrast, he mentioned North Korea once, and Iran and China zero times.
Private Companies Fill the Vacuum
A major reason many still look to the private sector to attribute cyber-attacks is that they are so prolific at doing so, whereas government officials often remain quiet.
Between 2016 and the first quarter of 2018, researchers at the University of Georgia Tech found that private companies attributed 48 cyber incidents that governments did not attribute, whereas governments attributed only 15. Both attributed the same incident on 7 occasions.
But the very idea that companies should be assigning blame for cyber-attacks is controversial.
Private companies benefit when they are able to pin the blame for high-profile campaigns on foreign governments, which in turn creates an incentive to exploit the public’s misunderstanding of attribution, said Slowik, the DomainTools researcher.
“It seems like organizations want to have it both ways. They are doing behavior-based tracking (‘how-based’ attribution) but retaining entity-based attribution (‘who-based’ attribution) for the marketing value,” said Slowik, who did not suggest that any companies have crossed that line when it came to the SolarWinds intrusion.
Another issue is that companies do not have equivalent legal and investigative tools as governments, which means they cannot provide as much evidence as governments, said Costin Raiu, the Director of Global Research & Analysis at cybersecurity firm Kaspersky.
Raiu said he believes that threat intelligence companies will eventually be able to attribute the SolarWinds compromise, though he suggested that private companies would not be able to provide the smoking gun that governments require when assigning blame.
“We can connect new attacks to existing threat actors, with various degrees of confidence, through code re-use, infrastructure re-use or other tactics, techniques and procedure,” Raiu explained. “We believe detailed or precise attribution is better left to law enforcement agencies.”
Definitive, who-based attribution nonetheless is increasingly within the reach of private companies, said Bruce Schneier, a security technologist and Lecturer in Public Policy at Harvard University’s Kennedy School.
In 2014, after the Obama Administration accused the North Korean government of launching a cyber-attack against Sony Pictures Entertain, Schneier publicly questioned the government’s assessment.
But Schneier said that both the private sector and the government have advanced so far over the past six years in terms of their ability to track and attribute foreign cyber-intrusions that he no longer doubts their judgement.
Schneier said he has full confidence that Russia is behind the SolarWinds compromise, but he acknowledged that the way the attack has been attributed—only unofficially, through intelligence leaks and what he considers the tacit assent of companies like FireEye and Microsoft—was problematic. (The Record spoke to Schneier before the Cyber Unified Cooperation Group issued its statement about the hack on Tuesday.)
“I’d rather it be governments that attribute intrusions like this, that the NSA would just come out and say it. But because they are so reluctant to, we’re stuck trusting companies like FireEye.”