New SolarWinds consultant Alex Stamos became one of the first public figures to attribute the massive hacking campaign against SolarWinds to the Russian foreign intelligence service, or SVR.
Stamos said Thursday that the SVR—also known as APT29 or Cozy Bear—excels at covering its tracks and quietly exfiltrating information from victims so it’s not noticed. Stamos, who was Facebook’s security chief, started last month as an independent consultant at SolarWinds, working alongside ex-Cybersecurity and Infrastructure Security Agency Director Chris Krebs to assist with crisis response.
“One of the reasons that this campaign has been able to last for well over a year is because they [the SVR] are incredibly subtle about the intrusion into all these companies,” Stamos said during a conversation with SolarWinds CEO Sudhakar Ramakrishna as part of a webinar hosted by SolarWinds.
A SolarWinds spokesperson said Stamos was giving his point of view, which aligns with much of what the market is saying. SolarWinds itself, however, is not attributing the attack beyond saying that it appears to have been carried out by a highly sophisticated nation-state actor, according to the spokesperson.
The Cyber Unified Coordination Group (UCG) said Jan. 5 that a Russian Advanced Persistent Threat (APT) group is likely behind the recent cyberattack on SolarWinds for intelligence-gathering purposes. The UCG stopped short, though, of blaming a specific APT group for the hacks. New U.S. Secretary of State Antony Blinken raised the SolarWinds incident with Russian Foreign Minister Sergey Lavrov Thursday.
The SVR has long been the suspected culprit behind the SolarWinds hack, with The Washington Post first laying blame at its feet based on feedback from unnamed officials.
But Stamos Thursday became one of the first high-profile industry figures to publicly blame the SVR for the attack. The SVR typically gathers intelligence that can’t be used immediately or for destructive attacks, Stamos said.
The Russian foreign ministry on 13 December described claims of its involvement in the hack as an unfounded attempt by the U.S. media to blame Russia for cyberattacks against U.S. agencies. “Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian embassy to the U.S. wrote on Facebook.
Ramakrishna said SolarWinds believes the hackers are no longer in its environment based on evidence from the company’s in-progress investigation as well as the changes and improvements SolarWinds has made. “We have done everything we are aware of to ensure that our environment is safe and secure,” Ramakrishna said.
Stamos said adversaries like the SVR have full-time research and development teams, build brand- new malware kits from scratch, and have months and months to get into an organization’s environment. Defending against an adversary that’s going to spend all day, every day thinking about how to break into a specific organization requires a different approach, Stamos said.
“The difficult truth that everybody has to accept is that if you have an organization of any complexity … and you go up against an adversary like this, you will not be able to stop them from initially getting into your network,” Stamos said. “It is effectively impossible.”
Instead, Stamos said organizations need to put themselves in the shoes of the enemy and think about what would constitute a successful campaign for an adversary against their business. This could range from stealing company data to putting something malicious in products the company ships to customers to breaking into systems and disrupting operations on behalf of a competitor, according to Stamos.
When dealing with a sophisticated adversary like SVR, Stamos said organizations must have a tight response time. Within 12 to 24 hours of receiving an alert, Stamos said organizations should have an analyst that’s arms-deep in the evidence that’s been collected, ideally in a single central location.
“Stopping the initial intrusion and the initial execution of malicious code in your environment is impossible,” Stamos said. “That doesn’t mean you don’t want to try to make it hard. But you can’t build all of your defenses with the expectation of keeping the attackers out.”