This article originally appeared on FCW.
Over the past weeks, U.S. government agencies, critical infrastructure entities, and private sector organizations have been scrambling to address what is now being considered a “significant cyber event.” Though comprehensive damage assessments could take months, we know that the impact of the SolarWinds attack will likely result in demonstrable harm to U.S. national security interests.
Hackers have breached the Departments of Defense, State, Homeland Security, Treasury, Commerce, Energy (including the National Nuclear Security Administration, which manages the country’s nuclear stockpile) and the National Institutes of Health. Among other compromises, the breaches allowed the actors to monitor internal email traffic at these government agencies. And the most concerning aspect — the event is not over.
By all accounts this adversary is highly sophisticated, has shown an ability to exploit software supply chains, is making extensive use of anti-forensic obfuscation techniques and is targeting key personnel and incident response staff. In fact, the Cybersecurity and Information Security Agency at DHS has determined that the threat poses “a grave risk” to impacted organizations based on the demonstrated patience, operational security, and complex tradecraft observed in the intrusions. Given that profile, we should assume that the actors are still lurking in these sensitive networks and have created alternate access points that we have yet to discover.
With unfettered access to these networks, the adversary is, right now, likely observing communications to orchestrate internal defensive measures. They are watching as incident responders use their security infrastructure to increase detection, set up alerts and reporting, and seek remediation efforts. The adversary is quietly observing executives, customers, partners, and law enforcement collaborate on assistance, implications, narrative, and strategic next steps. The intelligence gleaned from this level of visibility will enable the adversary to pivot before being discovered. They’re collecting critical insight into tactics, timing, standard operating procedures, contacts, checklists and secondary information to improve their tradecraft and their foothold in the network.
According to DHS/CISA, discussion of findings and mitigations or external communications to stakeholders and media should be considered very sensitive and organizations should use out-of-band communications in these cases. This type of communication method must be end-to-end encrypted, approved by the organization for enterprise use and compliance, and offer the necessary capabilities (e.g., voice, video, messaging, file share) to coordinate while networks cannot be trusted. Using unauthorized communication methods, such as consumer-based secure applications or shadow IT, should be strictly prohibited as it could result in breaches of regulatory or compliance policy, only making a bad situation worse.
The scope of this attack is shaping up to be the worst in decades. Crisis situations like this one can induce the fog-of-war and lead to tradeoffs during remediation. While some seem ready to dismiss the hack as routine espionage, the scope of the campaign and the precision in targeting specific U.S. defense and national security interests is chilling. While we may not know the full extent of the damage for some time, as is always the case in an event like this, we need to stop the bleeding. We must not afford the adversary an easy path to more information.
Operational Security measures addressing sensitive communications are imperative as a critical first line of defense, to ensure that enterprises and government agencies can defend themselves against further compromise and to establish strong, resilient crisis response plans to prevent and mitigate future intrusions.