The US may conduct offensive cyber attacks against targets in Russia within weeks in retaliation for the widespread SolarWinds Orion attacks, even as the government’s cyber security teams deal with additional fall-out from last week’s disclosure of four dangerous vulnerabilities in Microsoft Exchange Server.
As reported by the New York Times, which cited unnamed government officials, some kind of response could come before the end of March. The newspaper claimed it was likely to constitute actions within Russian government networks that would send a clear signal to the Russian government, but be less evident to outsiders.
At the same time, the newspaper’s reporting reinforced speculation about an upcoming executive order from president Biden designed to beef up the security of US government networks against future cyber attacks.
Matthew Connor, senior service delivery manager at F-Secure, said retribution for nation state-ordered cyber attacks was of course not uncommon, as shooting wars have become somewhat passé. In this light, he said, such a move from the Biden administration was to be expected, but teasing this plan via leaks to the press carries some degree of risk for the Americans.
“The difference could be if one side publicly defines the rules that they are going to play with in the future,” said Connor. “Such rules might provide a useful deterrent to antagonists, but might also create internal discomfort when managing essential foreign relationships.
“In this case, the damage is twofold. Clearly, valuable information has been lost and, worse, it is now public. Russia can deny, despite how strong the evidence might be, and escalate any actions taken against them. A new president has to show strength, but this one might have wanted to keep any necessary retribution out of the public eye.”
Meanwhile, researchers at Secureworks’ Counter Threat Unit have today published new evidence that another China-based advanced persistent threat group, dubbed Spiral, may have been behind the Supernova intrusion into the SolarWinds Orion platform. Supernova was discovered by Palo Alto’s Unit 42 in December 2020 but it was quickly assessed to not be related to the Russia-linked supply chain attack on the same service.
Secureworks said the group exploited the CVE-2020-10148 authentication bypass vulnerability in an internet-facing SolarWinds server to deploy the Supernova web shell, which enabled them to move around the target network and obtain credentials, although its incident response team stopped them before any data could be taken.
It said the nature of the actor’s movements suggested it had prior knowledge of the victim’s set-up, and through further investigation was able to link it back to an earlier series of attacks on the same network exploiting a vulnerable ManageEngine ServiceDesk. A number of other similar tactics, techniques and procedures then enabled it to establish a link to the Spiral group.