SolarWinds Attribution: Are We Getting Ahead of Ourselves?
December 30, 2020 • John Wetzel
Note: This blog is an abstract of an in-depth analysis on SolarWinds attribution. Download the complete analysis here.
A previously version of this report incorrectly attributed disclosure of Jake Williams’ work for the National Security Agency’s Tailored Access Operations group to Sandworm. This disclosure was conducted by ShadowBrokers.
The recent expansive intrusion campaign of over half a dozen government agencies and as-yet unknown other organizations through malicious backdoors in the SolarWinds Orion platform is already one of the most significant acts of cyber espionage in history. This intrusion, dubbed SUNBURST/Solorigate, appears intended for information theft and espionage rather than destruction, placing this campaign within the realm of counterintelligence, not just incident response. Analyzing this incident within the realm of counterintelligence may fill the gap of descriptive language for this incident rather than bipolar descriptions of “sophisticated” or in-depth analysis which may add to confusion for network defenders. Additionally, only a handful of companies have direct access and the investigative resources to gain meaningful insights into the technical components of the backdoor. The actor is a different story.
Like most complex, public intrusions, attribution has been messy. FireEye has named the actor behind this intrusion “UNC2452,” and Volexity dubbed the threat actor “Dark Halo,” stating that the actor is the same as UNC2452, though FireEye has not substantiated that claim. Adding further complexity, Washington Post correspondent Ellen Nakashima cited unnamed government sources claiming Russian actors, in particular APT29, are responsible for the attack. Members of the U.S. Congress have also publicly accused Russia, and in particular the Russian Foreign Intelligence Service (SVR), as the responsible party, and added calls for response. Microsoft President Brad Smith has also called for strong action. While we expect these organizations have far more insight into the nature of the breach, as well as classified sources of intelligence information, calls for strong response should include publicly disclosed information to support accusations.
Public evidence for these claims is currently scant. Some, including Jake Williams, who runs Rendition Security and teaches for the SANS Institute, has said that technical evidence is forthcoming, but cannot be disclosed without tipping off the adversaries to missteps and giving them a means to cover their tracks. Still, the lack of public evidence gives rise to claims that other actors, even perhaps other countries, may be responsible, a claim made by President Donald Trump as well.
Intelligence analysis, properly conducted, combats bias. Bias can lead to missteps in policy. Engaging in policy discussions about proportional responses (or, at times, very disproportionate response) without strong evidence is potentially dangerous. As rumors of attribution to Russia circulate, attribution prior to evidence is premature and myopic, biasing the analyst to only certain behaviors and actors. Further, intelligence analysis provides both strategic and tactical guidance for responses. At the strategic level, we can be assured that responses are coordinated and proportional. At the tactical level, defenders can apply intelligence to seed proactive activities, such as hunting for behaviors after indicators run dry.
Among information security researchers, some discussion has occurred regarding the possibility alternate actors, such as APT41, may ultimately be found responsible. APT41, also known as Winnti and Barium, has been linked to the People’s Republic of China, and previously conducted attacks which beg comparison with the SUNBURST/Solorigate attack. (Note: Recorded Future has synonymized several named groups, including APT41, Axiom Hacking Group, Barium, Blackfly, Dogfish, Ragebeast, Wicked Panda, Winnti Group, as Winnti Umbrella Group.) In March 2017, APT41 executed a supply chain attack by breaching the company which made CCleaner, a system cleaner software. Researchers from Cisco Talos and Morphisec uncovered the campaign, which ultimately spread to 2.27 million computers. While these comparisons fall well short of the requirements for attribution, APT41 does merit consideration as a candidate actor group responsible for the SUNBURST/Solorigate breach. Enter threat intelligence.
We approached our analysis using existing techniques in order to focus on attribution and adversary mapping. We pursued methodologies including mapping MITRE ATT&CK techniques, victimology, temporal indications, and historic use of indicators to give insight into attacker motivation and intent. We analyzed both public information as well as information from Recorded Future’s historic index to determine a set of unique characteristics about this campaign. Our goal was not to conclusively attribute this attack, but rather to review existing data through the lens of intelligence analysis and contribute to conversation on adversary tracking.
To read our in-depth analysis, download the complete report.