Spy vs Spy: Thoughts on the SolarWinds Hack

Alleged Russian backed hack “virtually a declaration of war by Russia on the United States,” claims US Senator Dick Durbin – I always kind of shake my head a little bit when I read political quotes like this. In this post I will explain why.  

I have been asked a lot about the “SolarWinds” hack, so I thought I would throw my two cents in. Whenever a “Nation State” hack is exposed, it is always met with feigned shock and outrage from government leaders. Our government agencies actively hack foreign infrastructure and agencies, and they respond in kind. It is the way it is – kind of like the old Spy vs Spy cartoon. The truth is, it has been going on forever, way before the “cyber” age – it is called “Espionage”.

Years ago, as a young IT professional working near Rochester, NY, I heard about a fascinating CIA Cold War espionage mission against the Russian embassy in DC that involved Xerox copy machines. The story about the Xerox 914 CIA “Spy Machine” was told in the January 1996 issue of Popular Science.

Basically, the Russian Embassy used a Xerox machine to photocopy sensitive information. The CIA trained a Xerox repairman to install a special spy camera unit during a maintenance call. Every time the machine made a copy, the camera took a picture of the document. The repairman would recover the camera or film on the next service call and replace it with another.

1967 patent 3,855,983, displaying miniature camera from the same creator of the Xerox Spy Cam

In reality, the art of espionage goes all the way back to ancient times, it is not anything new. The only thing that has changed is the medium. Instead of trying to train an agent, have them infiltrate a foreign agency, and gain a position of trust – something that could take years, or decades – it is now much easier to hack into an entity, target corporate or government leaders in an attempt to grab all the secrets at once.

In the same way that espionage units would scope out physical infrastructure and critical supply chain entities in an attempt to perform acts of sabotage – the same is now done in the “ether”.

One major benefit of “cyber espionage” other than the ability to gather large amounts of useful information with a single attack, is the ability of anonymity. While bouncing attacks through multiple countries, and mimicking other known attacks, it is much easier to hide the attacker’s true identity.

When I first got into cybersecurity ages ago, I performed a lot of basic malware analysis. A friend that did IT support for a department in a major company, that was getting repeatedly attacked. They asked me for help in finding the location of their attacker.

When I disassembled and analyzed the attacker’s code, it was hardwired to exfiltrate data to a random gaming server hosted in Texas! Did Texas declare war on this US company? Of course not! Attackers were using the hosted server as a command-and-control unit.

A lot of this was still new at the time and there was really no written in stone way to deal with attacks like these. I assume the friend’s company took the findings and approached the company who was being used as the “middle-man” portal for the attack.

Not being a government agency, they had no legal right to “hack back”. I never did know what happened after that, or how long it took for the company being misused to respond, but I assume they did.

Things have advanced a lot since that time, and some security companies/ agencies can do a lot to research the attacker style and the attacking nation, but it takes time and effort.

Am I condoning what the Russian hackers (allegedly) did? Of course not! But, sadly, they hack us, we hack them, it is the way of modern cyber espionage. The only reason why this is a big deal, politically, is that they were caught with their hand in the cookie jar.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: