After much anticipation and hints, the U.S. Government announced a series of measures to respond to recent Russian actions against the United States, including the SolarWinds intrusion campaign. The measures underscore that companies are not in a position and should not be left to defend against nation state actors on their own, and that the U.S. Government will take steps to impose consequences and change the norms to make clear that widespread and costly intrusions on private companies are unacceptable. The initial actions taken by the U.S. Government include:
Together, these actions represent a multi-pronged initial response by the U.S. Government that seeks to impose economic and strategic costs on Russia, and to generate a new norm in cyberspace.
We provide detailed analysis of the new sanctions against Russia (as well as the expulsion of ten Russian diplomats) in an accompanying client alert.
First, the U.S. Government formally attributed the SolarWinds incident to the Russian SVR and characterized the incident as a “broad-scope cyber espionage campaign.” The White House statement also noted that the U.S. Intelligence Community has high confidence in the attribution, but did not provide any further details about the basis of its assessment or degree of confidence. The U.S. Government had previously said only that the threat actor was “likely Russian in origin.”
Leaving aside the intrigue of spy craft, from a private-sector perspective, the attribution is relevant because it may shed light on the motivations of the responsible actors, particularly for entities that are investigating activity on their networks related to the SolarWinds campaign. While the specific objectives of the hackers remain unknown to the general public, the SVR is known for its quiet intelligence collection on high-value public and private-sector entities for traditional espionage purposes. They are not known for financially motivated intrusions or destructive attacks. Understanding those motivations may be helpful in directing investigative priorities as well as in responding to customer and auditor inquiries.
Second, the U.S. Government released an NSA-CISA-FBI advisory that provides additional information about the SVR’s tradecraft, as well as a CISA Malware Analysis Report (developed in partnership with U.S. Cyber Command) that received significantly less press attention but is invaluable from a technical perspective. The reports—which follow earlier private-sector analyses that also shared information about the hackers’ methods—reflect a government effort to degrade the capabilities of Russian hackers by exposing their malware and publicly sharing information about cyber threats so they can be more easily detected and defended against. This information can be very helpful for teams seeking to identify if they have been a victim of the SVR campaign and taking actions to prevent attacks of this nature in the future.
The NSA-CISA-FBI advisory centralizes information about vulnerabilities the SVR is known to have exploited and provides recommendations regarding potential mitigation actions that entities can take. While CISA has already publicly released information about the risks associated with the SolarWinds supply-chain compromise and provided remediation steps for potentially impacted entities, the new joint advisory offers additional information about other vulnerabilities and techniques that continue to be leveraged by the SVR.
The Malware Analysis Report (MAR) provides a more granular assessment of the tools the SVR used in the SolarWinds compromise, including detailed analyses of 18 files associated with the compromise. It also provides, where applicable, metadata, general descriptions of how the files were executed, YARA rules, file relationships, relevant screenshots, and configuration formatting. The U.S. Government has made similar disclosures previously, including with respect to North Korean and Russian hacking tools.
There is an increasingly large body of content that is shared by FBI, CISA, U.S. Cyber Command, and other government entities to aid in protecting the private sector—organizations may wish to incorporate these reports and advisories into their cybersecurity programs as a way to demonstrate the robustness of their cybersecurity efforts.
The US. Government’s decision to take action against Russia for the SolarWinds compromise (notwithstanding the Intelligence Community’s assessment that it was an espionage campaign) reflects an effort to craft a new norm in cyberspace: that cyber espionage campaigns should not impact thousands of private-sector computer systems, result in millions of dollars in mitigation costs, and trigger concerns about public safety. This decision attempts to signal that the scope of the SolarWinds compromise went beyond a traditional espionage campaign and merited response. It is also yet another indication that the U.S. Government intends to take more affirmative steps to protect private sector victims of malicious cyber activity and a recognition that the private sector should not be expected to defend against these kinds of attacks on their own.
The announcement also expressed the need for a global cybersecurity approach, warning that “Russia’s actions run counter to” the goal of “an open, interoperable, secure, and reliable Internet.” To counter these actions, the Administration announced that it is providing a course for policymakers around the world on attribution of cybersecurity incidents, reflecting an effort by the U.S. Government to export U.S. efforts to expose (and perhaps criminally charge) state‑sponsored cybercrime. The efforts are also intended to bolster U.S. efforts to provide training to foreign partners on the applicably of international law to state behavior in cyberspace and the non-binding peacetime norms that were endorsed by the UN General Assembly. These are small but positive steps to shape the normative framework for behavior in cyberspace.
The SolarWinds compromise is also an example of the broader Russian government effort to target companies worldwide through supply chain exploitation, and the White House announcement warns about “the risks of using information and communications technology and services (ICTS) supplied by companies that operate or store user data in Russia or rely on software development or remote technical support by personnel in Russia.” Of course, few if any supply chain programs would have effectively spotted the introduction of a supply chain vulnerability into a trusted U.S. software supplier. Nevertheless, supply chain threats will continue to be a focus of government regulation. For example, last month the Commerce Department promulgated an interim final rule to implement provisions of Executive Order 13873 on Securing the Information and Communications Technology and Services (ICTS) Supply Chain, as we write about here. In its announcement of the SolarWinds intrusion response, the U.S. Government noted that it would evaluate action under that supply chain executive order to better protect information and communications technology services from further exploitation by Russia. We expect supply chain issues to be an area of increased regulation in the coming months, and now is a good time for organizations to take stock of what they are doing to identify and mitigate risk in their supply chains.
Already the target of cyber intrusions and cyber espionage because of the work they perform for the U.S. Government, government contractors may end up carrying a disproportionate amount of the regulatory burden of the U.S. Government’s response. Past espionage activity has led, for example, to restrictions on use of Kaspersky products and of telecommunications equipment from certain jurisdictions. It is likely that the Federal Acquisition Regulation will be amended to address particular risks caused by companies or suppliers that operate or store user data in Russia or that have technical support in Russia and to restrict contractors’ use of such companies or suppliers.
We are likely to see additional government efforts to shore up the nation’s cybersecurity defenses, prompted in part by the SolarWinds campaign. For example, in the coming weeks we expect the Biden Administration to issue an executive order requiring, among other things, mandatory disclosure of cyber incidents for federal contractors, the creation of software bills of materials for critical software being sold to the U.S. Government, requirements for contractors to preserve certain records and cooperate with FBI and CISA, and incentives to encourage additional public‑private information sharing. The U.S. Government is also likely to require certain baseline security enhancements for federal agencies, such as mandatory two-factor authentication and encryption of sensitive data.