President Trump Highlights Potential for Chinese Involvement in SolarWinds Orion Cyber Intrusion

Posted originally on The Conservative tree house on December 19, 2020 by Sundance

Why would any foreign actor go through all the trouble to rob a bank and yet take nothing?…

This is the metaphor for U.S. officials noticing the backdoor to our national cyber-network was found wide open, and yet not a single organization attached to the SolarWind’s Orion network points to any negative impact other than the existence itself of the originating malware. It just doesn’t add up.

Keep in mind… this “malware” has been in place since May and only recently identified.

DNI John Ratcliffe announced there was “foreign interference” in the election, and while citing Russia, China and Iran the DNI said the report on election security would be delayed. Secretary of State Mike Pompeo points to Russia as the source of the SolarWinds’ intrusion; but there is no specific evidence outlined. Today, following a briefing on the issues President Trump noted it could be Russia, but it could also be China.

There seems to be a coordinated effort to blame Russia by government officials and a host of media groups.  Russia is a favored scapegoat, and given how the media falsely blamed Russia for 2016 election interference/collusion, corporate media carry a self-interest in perpetrating that narrative.

Any suggestion it was *not* Russia is then used to weaponize a Russia-apologist narrative. However, considering most of our institutions have a financial relationship with China, the self-serving hypocrisy of China-apologists carries a particularly deafening tone.

Accepting that no-one really knows, yet, who originated this intrusion, here is a Big Picture notation from the Rebel Alliance:

Due to the widespread use of SolarWinds and the length of time the SolarWinds vulnerability was possibly exploited, this attack could be the full-on equivalent of Pearl Harbor, except in a global scale.

In defending networks, very good cyber defense teams (eg, as with large financial firms and some portions of the US gov), have a good chance of success, primarily through use of extensive measures aimed at prevention and/or early detection.

But, when an attacker gets inside a network for an extended period of time, they typically focus first on becoming “rooted” (ie, they implement numerous alternate backdoors and cleverly hide malware throughout the network such that attacker access may be restored even after detection and cleanup).

Once rooted, an attacker is often extremely difficult to fully remove from the victim’s network, even if the victim completely replaces all hardware and rebuilds his entire network from scratch.

Most less capable victims, and there were potentially hundreds or thousand of direct and indirect victims in this attack, do not even have the capability to rebuild their networks and, hence, have little hope of ever completely eliminating the attacker.

Attackers are not solely interested in removing information in bulk. When large amounts of information are unexpectedly seen leaving a network, this often flags an attack in progress. So, slower and more careful movement through the network is typically seen by highly skilled attackers.

Attacker motivations are highly varied. In government networks, the attacker may wish to spy to learn about foreign agents, for example.

In a commercial network, there are many opportunities for financial gain (eg, knowledge of pending business deals). Some attackers may also wish to implement a longer term ability to physically or logically destroy the victim’s network.

Restoring a destroyed network in a large enterprise is amazingly complex. Many organizations, even those having backup data, could not do it. Even if skilled enough to rebuild, the lost time can potentially destroy the enterprise. If hundreds of firms were destroyed simultaneously, the economic impact could be crippling.

America must now confront the reality that most of its corporate network infrastructure could be entirely at the mercy of a foreign power AND that this situation is unlikely to be reversed anytime soon. This is a blow potentially as powerfully impactful as Covid-19.

I am NOT convinced this attack was perpetrated by Russia, as is being preliminarily alleged, due to the difficulty of reliable attribution. Hardly any evidence has been provided and attribution is notoriously difficult.

The evidence should be collected, the extent of the attack [in terms of the actual versus potential] use of the SolarWinds backdoor to invade Gov networks and US corporations should be determined. It must also be assessed whether the SolarWinds attack facilitated interference in the election.

Critically, it must be determined whether “nuclear worms”, capable of physical or logical network destruction, were implanted anywhere and which are now silently waiting for a signal to activate.

(Personally, if I were an IT manager, I’d be VERY worried for the safety of my Active Directory right now, since sabotage of AD is relatively easy and recovery can be extremely difficult and sometimes impossible, depending on the implementation.)

If this attack is limited to just gov networks and does not include major corporations, the election, or nuclear worms, the gov networks should be cleaned up and an appropriate response delivered to the attacker via our Cyber Defense force.

If the attack included the gov networks and election, interference, the same gov network cleanup is needed. However, the response must be more severe, and I would think should include some level of physical destruction.

If, however, the attack spread additionally to most of the Fortune 500 networks and/or includes nuclear worms, a massive gov initiative to facilitate a cleanup of corporate systems is needed.

After the initial triage, activation of plans for a kinetic response to such an attack must be considered. Eg, if the attack was attributed to China, we must respond forcefully and the response must fully respond to Chinese perceptions of US psychology. So, if China perceives the US a paper tiger, the appropriate response my be to take control of the Three Gorges Dam and open its valves.

In my view, this attack *requires* a FORCEFUL response, not necessarily limited to a cyber delivered response. The attacker must pay a high price based upon scope and severity. To do nothing projects unacceptable weakness. And the thought that US corporate infrastructure might be taken out at will, possibly through nuclear worms, possibly through more direct individualized attacks, is just unacceptable.

Regardless of the response, this attack should be taken as a wakeup call to the country. The risk of a destructive attack could be far higher than previously acknowledged.

I hope this summary is helpful to you in helping others understand the significance of this.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.