By John P. Desmond, AI Trends Editor
The massive attack on US government agencies and US businesses that is a suspected Russian espionage operation was a nation-state attack compounded by the trend of augmenting human intelligence with AI, according to experts.
The attack surfaced in December when security experts discovered hackers had inserted a backdoor into software from SolarWinds called Orion, which was used to update software widely across the federal government and a number of Fortune 500 companies.
Perhaps unfairly, SolarWinds was originally considered to be the hackers’ main avenue of attack. However, close to a third of the victims were later found not to run the SolarWinds software, according to a recent account in The Wall Street Journal.
The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” stated Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, adding, “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
Similar conclusions have been reached by corporate investigators. The computer security company Malwarebytes has said that a number of its Microsoft cloud email accounts were compromised by the same attackers who pulled off the SolarWinds hack, using that the company called “another attack vector.” The company does not use SolarWinds software.
SolarWinds itself is investigating whether Microsoft cloud was the initial entry point of hackers into its network, one of several theories being pursued, according to a person familiar with the SolarWinds investigation.
John Lambert, the manager of Microsoft’s Threat Intelligence Center, stated, “This is certainly one of the most sophisticated actors that we have ever tracked in terms of their approach, their discipline and range of techniques that they have.”
SolarWinds has said that it first traced activity from the hackers to September 2019, and that the attack gave the intruders a back door into up to 18,000 SolarWinds customers.
The departments of Treasury, Justice, Commerce, State, Homeland Security, Labor and Energy all suffered breaches.
From the point of view of the government, “We continue to maintain that this is an espionage campaign designed for long-term intelligence collection,” stated Wales of CISA. “That said, when you compromise an agency’s authentication infrastructure, there is a lot of damage you could do.”
Microsoft’s Smith Sees Attack Likely Compounded by Use of AI
Brad Smith, President of Microsoft, said in a blog post published on Dec. 17, “The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.” Investigations are continuing into the attack, which he said is ongoing, and “is remarkable for its scope, sophistication, and impact.”
He said more than 40 Microsoft business customers were targeted, 80% of them in the US but also in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the UAE in the Middle East.
The attack was not “espionage as usual,” Smith stated. He added, ominously, “These types of sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape.”
He cited a second evolving threat, the growing privatization of cybersecurity attacks through a new general of private companies he calls “private sector offensive actors” (PSOAs).
“This is not an acronym that will make the world a better place,” Smith stated. As an example, he cited NSO Group, an Israeli-based software company now involved in US litigation, accused of violating US anti-hacking laws due to its technique of installing itself on mobile devices without permission of the user. The software company WhatsApp filed the suit, which maintains that Pegasus accessed more than 1,400 mobile devices.
Other companies are rumored to be joining the PSOA market in what Smith said has become a new $12 billion global technology market. “This represents a growing option for nation-states to either build or buy the tools needed for sophisticated cyberattacks,” Smith stated, adding, “An industry segment that aids offensive cyberattacks spells bad news on two fronts. First, it adds even more capability to the leading nation-state attackers, and second, it generates cyberattack proliferation to other governments that have the money but not the people to create their own weapons. In short, it adds another significant element to the cybersecurity threat landscape.”
CISA Pursuing Attack Repercussions
Meanwhile, the CISA is pursuing the repercussions of the massive hack. “An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain,” CISA states on its website dedicated to information on the attack.
Following a Presidential policy direction, the FBI and the Office of the Director of National Intelligence have formed a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response.
CISA guidance to federal agencies that ran the SolarWinds software is to run forensic analysis and harden platforms still running the Orion software. In a directive issued on Dec. 13, “CISA determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action.”
FireEye, the security software company that revealed the theft of some 300 of its proprietary cybersecurity tools five days before SolarWinds announced it had been hacked, posted countermeasures in its GitHub repository.