SolarWinds Cyber Attack - Connecting the dots

We have just witnessed one of the most perfectly planned, orchestrated and executed Targeted-Cyber-Attack in past few years. The level of sophistication around the SolarWinds Cyber Attack suggests there's more to it than the usual state sponsored cyber-attack.

Looking at past attacks attributed to Russian intelligence agencies, the SolarWinds cyber-attack has the signatures of more than one intelligence agency written over it. From the advanced research capabilities and the idea to attack a specific mission-critical software provider, trough the level of sophistication in the technical execution of the attack and finally to the discipline around only targeting strategically pre-chosen US government agencies and high-profile US companies.

In the past decade cyber-attack activities were attributed to specific Russian intelligence agencies. The Federal Security Service (FSB) who are responsible for intelligence-gathering and counterintelligence and the GRU (Russian Military intelligence agency) who are responsible for foreign intelligence and cyber-strategies.

The GRU operates both as an intelligence agency, collecting human, cyber and signals intelligence, and as a military organization responsible for battlefield reconnaissance and the operation of Russia's Spetsnaz forces. Spetsnaz brigades are an elite light infantry force designed to conduct battlefield reconnaissance, sabotage, and small unit direct action missions.

In his 2018 confirmation hearing to head U.S. Cyber Command and the National Security Agency, General Paul K. Nakasone said, “as the most technical, advanced potential adversary in cyberspace, Russia is a full-scope cyber actor, employing sophisticated cyber operations tactics, techniques, and procedures against U.S. and foreign military, diplomatic, and commercial targets, as well as science and technology sectors.”

Federal indictments indicate that to develop its cyber capabilities, the FSB has relied on recruiting talented individuals from the cyber-criminal community, such as the Turla Group, who already practiced supply-chain attacks, specifically taking advantage of widespread software companies and maliciously infecting their software. The GRU has sought to cultivate talent internal and developed multiple recruiting pathways, Due to its history in conducting signals intelligence and disinformation operations.

The GRU has conducted numerous aggressive, malicious, and wide-ranging cyber operations against multiple targets around the world and the US in particular, its cyber capabilities consist from two units. Unit 26165 also know as APT28 or 'FancyBear' and Unit 74455 also know as 'Sandworm', which was responsible for the 2015 cyber-attack on the Ukraine's electrical infrastructure and the 2017 'Not-Petya' malware-attack. Both are linked to another unit operated by the FSB also known as APT29 or 'CozyBear' which is reportedly responsible for the current SolarWinds cyber-attack.

In recent years it became apparent that these malicious groups were not just looking to gather intelligence, but to infiltrate systems, install backdoors, hijack physical machinery and orchestrate physical consequences. 

In July 2020 (deep into the SolarWinds Hack), Russia’s Ambassador to the UK, Andrei Kelin, gave an interview at Sky News, claiming that Russia itself was frequently targeted by cyber-attacks and calling for the creation of a convention on cyber-warfare: “We would like to set up a normal order, under the UN auspices, probably a convention, which would provide for easily understandable rules of cooperation,” Kelin said. “Otherwise there will be a cyber chaos.” Was that statement based on prior knowledge of what's happening as he speaks? Was it a threat or a hint of what's coming? You be the judge of that!