Unanswered Questions from the SolarWinds (Sunburst) breach
There is a good chance that the SolarWinds supply-chain breach (Sunburst), will be the biggest cybersecurity story of 2020. The fact that the FireEye cybersecurity firm was hacked is especially concerning, and not just because of the tools, intellectual property, or sensitive information that may have been stolen.
FireEye specializes in helping other organizations respond to cybersecurity incidents. They would be considered a hardened target. One would assume that they have a strong security posture, comprehensive monitoring, and actively hunt for threats in their environment.
An attacker is taking a brazen risk in targeting FireEye and stealing their tools because even if they succeed, FireEye is probably going to be alerted, investigate the incident, and uncover the campaign, and that’s exactly what happened. So, what were the attackers thinking?
Maybe they didn’t know it was FireEye? Sunburst was a highly sophisticated supply-chain attack requiring significant resources and operational secrecy, and was already running for six to nine months, since Spring 2020. Attackers with this level of sophistication did their homework and knew the target.
Or maybe it was a rookie mistake? Sunburst was a team effort requiring manual hacking by experienced operators. While it’s possible that someone deviated from the hacking playbook, it’s low probability given the organizational cohesion that was demonstrated over those six to nine months.
Was it a calculated risk? FireEye is a hardened target. Attackers knew this would be noisy and would possibly alert FireEye.
Let’s say it was a calculated risk. If so, why did they take the risk? Maybe they had already achieved most of their objectives. After establishing persistent access and cataloging all the assets in an organization, at some point, attackers need to exfiltrate the data. A campaign of this size and scale is going to be noticed eventually. Perhaps they saved FireEye for last after they had already pillaged the other organizations.
However, the timing of the breach disclosure still bothers me. Was this campaign an espionage campaign or something more insidious, perhaps a disruption and influence campaign made to look like espionage? After all, the elections are now over. If the elections were the primary mission, it would make sense for the attackers to pull out now and take whatever spoils they could with them.