Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

April 13, 2021 7:47 AM

Are India's Antitrust laws effective at controlling monopolies?

On 15th of July 2020, Reliance Industries Ltd (RIL) held its annual general meeting of the shareholders. The chairman and managing director Mukesh Ambani, announced that global tech giant Google would be investing $4.5 billion in Jio Platforms. Facebook also has acquired a 9.99% stake in Jio Platforms. This is the first time in the world that both the global tech giants have invested in the same entity. These investments have boosted the confidence for Jio Platforms and also for India’s growth but there have been questions and speculations about the potential anti-competitive makeup of these deals.

The objective of this article is to explore the interpretation and the effectuality of Antitrust laws in India.

Anti-competitive practices are those business practices which firms engage in to emerge as the or one of the few dominant firms, who will then be able to restrict inter firm competition in the industry in a bid to preserve their dominant status. The Collins English dictionary defines antitrust laws as those laws that are intended to stop large firms taking over their competitors by fixing prices with their competitors, or interfering with free competition in any way. These laws focus on protecting consumer interests and promoting a competitive market. The word ‘Antitrust’ is derived from the word ‘trust’. A trust was an agreement by which stakeholders in several companies transferred their shares to a single set of trustees.

In present-day India, talking about market dominance Reliance Industries Ltd (RIL), resembles American company—John D Rockefeller's Standard Oil Company—of the early 20th century. Mukesh Ambani holds the highest ability to influence markets and policy in every sector in which RIL is present—petrochemicals, oil, telecom, and retail. Many industry experts and critics suggest that Ambani has used his political clout to twist the regulatory framework in his favor.

Gautam Adani, founder of Adani Group | Source: Twitter

Furthermore, economic power in aviation infrastructure is clustering into a few hands as well. In 2019, the Adani Group bagged the 50-year concession to operate all the six Airports Authority of India-operated airports—Lucknow, Jaipur, Guwahati, Ahmedabad, Trivandrum, and Mangaluru—which were put up for auction. The company also obtained a controlling stake in ‘The Chhatrapati Shivaji Maharaj International Airport, Mumbai’ from GVK Airports. Moreover, Adani Group is now set to construct the Navi Mumbai International Airport. The group is now eyeing Indian Railways while they have already established an alarming monopoly in green energy and sea ports. While Airports are natural monopolies, one private company controlling more than 8 important airports is not good news to airlines.

India has established antitrust laws to promote competition. For 40 years, India followed the Monopolies and Restrictive Trade Practices Act 1969 (MRTP). This act was based on principles of import substitution and a command-and-control economy. However, over time several amendments had to be made to the act. In 2002, the Indian approved a new comprehensive competition legislation. This is called the Competition Act 2002. The act focused on regulating business practices in order to prevent practices having an appreciable adverse effect on competition (AAEC) in India. The act primarily regulates three types of conduct: anti-competitive agreements (vertical and horizontal agreements), abuse of a dominant position, and combinations such as mergers and acquisitions. The act lists out the cartel agreements that it intends to prevent. This list includes price-fixing agreements, agreements between competitors seeking to limit or control production, market-sharing agreements between competitors and bid-rigging agreements. These agreements are called “cartel” arrangements.

The competition Act is enacted by the Competition Commission of India (CCI), which is exclusively responsible for the administration and enforcement of the Act. It comprises a team of 2 to 6 people appointed by the government of India. The CCI has previously handled high-profile cases. In 2018, CCI imposed a fine of Rs135.86 crore on Google on the grounds that Google misused its dominant position and powers to create a search bias. In another important case, the CCI, ordered a probe into Idea, Vodafone and Airtel when Reliance Jio owner Mukesh Ambani lodged a complaint against the three for forming a cartel and denying Jio the POI required for network connection, causing multiple call failures. The Cellular Operator Association of India was also probed for encouraging the same.

In some cases, the Competition Commission has been successful in tackling activities that are against the free competitive market. However, critics and economists believe that the act is now unable to adapt to the changing business environment in e-commerce, telecom, technology and the government’s role in distorting competition. Demonetization and GST drove the formalization of the economy. One consequence of them was that bigger, better organized players gained at the cost of smaller ones with lesser resources. The Insolvency and Bankruptcy Code (IBC) was designed to solve the problem of non-performing assets (NPAs) of banks. But consequentially, it has also led to a consolidation in many sectors.  

However, CCI has expressed inability to consistently adjudicate punitive measures due to obligation in several cases. This points to the loopholes in the very provisions of the Competition Act 2002. In an Economic and Political Weekly (EPW) article, Aditya Bhattacharjea—an Economist—argues that even though the 2002 Act represents an improvement from the MRTP Act which was extremely restrictive, the present act also remains riddled with loopholes and ambiguities. According to Bhattacharjea, this creates unnecessary legal uncertainty, which acts in advantage of lawyers and law firms. For instance, the act allows the CCI to leave some scope of flexibility for “relative advantage, by way of contribution to the economic development.” Bhattacharjea argues that this may allow large firms to justify their anti-competitive practices in the name of development.

Mark Zuckerberg and Mukesh Ambani having online interaction after Facebook invested in Jio Platforms | Source: NDTV

Data portability plays a significant role in determining market power of certain firms. In 2017, the CCI closed cases against both WhatsApp and Jio involving allegations of predatory pricing and privacy violations. In both these decisions, the regulator did not consider the restrictions around data portability as a competitive advantage. The possible data leveraging advantage for the attempted monopolization could be the ‘portfolio effect’. Portfolio effect refers to increasing the range of brands, by bundling of telecom or messaging service and other service offerings or illegal vertical restraints, even predatory pricing. This in turn may lead to greater ability of further leveraging, deterring innovation and results in degradation of quality. Another possible advantage is explained as the theory of leveraging. The best example of leveraging is when Microsoft entered the media-player market by extending its quasi-monopoly on the operating systems market by taking advantage of the indirect network effects. In case of Facebook acquiring 10% of Jio’s shares, it is a concern that both entities could potentially use WhatsApp’s market dominance in telecom and social networking services and establish dominance in e-commerce market through anticompetitive acts.

There was a consensus among Indian policymakers at the time of the 1991 economic reforms that economic liberalization would eliminate the nexus between the business elites and the policymakers. On the contrary, the relationship between these two groups got further strengthened.

On the other hand, few critics and industrialists argue that extreme restrictions on growing companies hampers the progressive growth of the national economy. While RIL’s Jio looks like a cause for concern, the company has also saved Rs. 60,000 crores for annual savings in India. In addition to that, the entry of Jio to the telecom industry has led to a rise in data consumption and improved accessibility and affordability of the internet across the nation.

However, the concern still lingers as the question of whether this growth is a result of actual innovation or crony capitalism remains unsolved.

However, the fact that telecom, organized retail, ports and airports have two or three players controlling the bulk of the sector needs to be addressed. A healthy competition is quintessential for long-term growth and innovation. Harmful trade practices and cartelization does not only affect small manufacturers but also the general public.

The government, CCI and other lawmakers must closely examine the present laws and provisions and need to see if they are required to amend the act.

Read More