Russia’s “Sunburst Gambit” — The Hack of SolarWinds, FireEye, et al.

Cyber security is a game between the aggressor and the defender. Both players play both roles at times. The game board is the systems of computers owned and operated by governments and corporations around the world. It is like a strange version of Chess. One side moves and the other makes a counter. In the game the world is just hearing about, Russia pulled off the most masterful move and the U.S. never saw it coming and has no real countermove.

In the last week, the world was made aware that the cyber security Juggernaut, FireEye, was electronically infiltrated (hacked) by the Russians. During the hack, the Russians stole FireEye’s offensive cyber weapons. Those “weapons” were used by FireEye and its clients, various government agencies among them, to hack other countries.

This news was followed by the fact that the hack was actually malware embedded in a software update from another well-respected cyber security firm, Solar Winds.

With this discovery, we have found out that the FireEye hack was likely not a targeted attack but rather a “bonus” for the Russian attackers. The true target was every SolarWinds customer, specifically the US government agencies using their product.

Upon discovery of the FireEye hack, the company decided to make public counter measures for their offensive weapons. The intention was for companies to be able to determine if they were being attacked using the FireEye weapons and hopefully mitigate those attacks.

The result of this disclosure was that every group that had been targeted by FireEye or by those using FireEye’s tools is now able to detect the tool use and develop ways to stop the attack. Meaning the US and other governments can no longer gain access to systems by use of FireEye’s tool set. This alone will set the cyber security intelligence field back several years and dramatically hurt intelligence gathering.

Regarding the SolarWinds embedded malware, which has been dubbed Sunburst by the FireEye team, the world does not yet know how the malware was added to the software update. The FBI and DHS are investigating, and it will likely be the result of an insider who was bribed or duped into adding the code. The impact of the tainted update will be felt for some time as government agencies are just now discovering they were victimized. What was stolen, deleted, or changed during the attack is unknown and will remain so for several months.