[Editor’s Note: Independent security consultant Christopher Budd worked previously in Microsoft’s Security Response Center for 10 years.]
“Now witness the firepower of this fully armed and operational Battle Station.” – Emperor Palpatine, Return of the Jedi
Analysis: This week Microsoft took a series of dramatic steps against the recent SolarWinds supply chain attack. In the size, speed and scope of its actions, Microsoft has reminded the world that it can still muster firepower like no one else as a nearly-overwhelming force for good.
Through four steps over four days, Microsoft flexed the muscle of its legal team and its control of the Windows operating system to nearly obliterate the actions of some of the most sophisticated offensive hackers out there. In this case, the adversary is believed to be APT29, aka Cozy Bear, the group many believe to be associated with Russian intelligence, and best known for carrying out the 2016 hack against the Democratic National Committee (DNC).
While details are continuing to emerge, the SolarWinds supply chain attack is already the most significant attack in recent memory. According to SolarWinds, Microsoft, FireEye, and the Cybersecurity and Infrastructure Security Agency (CISA) the attackers compromised a server used to build updates for the SolarWinds Orion Platform, a product used for IT infrastructure management. The attackers used this compromised build server to insert backdoor malware into the product (called Solorigate by Microsoft or SUNBURST by FireEye).
According to SolarWinds, this malware was present as a Trojan horse in updates from March through June 2020. This means any customers who downloaded the Trojaned updates also got the malware. While not all customers who got the malware have seen it used for attacks, it has been leveraged for broader attacks against the networks of some strategically critical and sensitive organizations.
Those attacked include FireEye, the US Treasury Department, the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Department of Health’s National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), and the US Department of State.
Everyone who has worked on this case directly has spoken to the sophisticated nature of the attack. The breadth, strategic importance and security expertise of the victims bear this out. While nearly every attack is called “sophisticated” by victims who try and shield themselves from criticism, the security community is nearly unanimous in its verdict that the term is merited in this case.
The speed, scope and scale of Microsoft’s response were unprecedented. Specifically, Microsoft did four things over the course of four days that effectively undid the work of the attackers.
1) On Dec. 13, the day this became public, Microsoft announced that it removed the digital certificates that the Trojaned files used. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.
2) That same day, Microsoft announced that it was updating Microsoft Windows Defender, the antimalware capability built into Windows, to detect and alert if it found the Trojaned file on the system.
3) Next, on Tuesday, Dec. 15, Microsoft and others moved to “sinkhole” one of the domains that the malware uses for command and control (C2): avsvmcloud[.]com. SInkholing is a legal and technical tactic to deprive attackers of control over malware. In Sinkholing, an organization like Microsoft goes to court to wrest control of a domain being used for malicious purposes away from its current holder, the attacker.
When successful, the organization can then use its ownership of that domain to sever the attacker’s control over the malware and the systems the malware controls. Sinkholed domains can also be used to help identify compromised systems: when the malware reaches out to the sinkholed domain for instructions, the new owners can identify those systems and attempt to locate and warn the owners. Sinkholing is a tactic that was first used in big attacks in the 2008-2009 battle against Conficker and has been a standard tactic in Microsoft’s toolkit for years, including most recently against TrickBot.
4) Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. This action is important, too, because it gives other security companies license now to follow suit with this drastic step: Microsoft’s size and leadership of its platform give cover to other security companies that they wouldn’t otherwise have.
Taken together, these steps amount to Microsoft first neutralizing and then killing the malware while wresting control over the malware’s infrastructure from the attackers. By the end of this week, the attackers will be left with barely a fraction of the systems under their control.
They may still have access to compromised networks through other means: that’s what incident responders are likely working on now. And there’s no undoing whatever they did while the infiltration went unnoticed for months. But still, these actions together come as close to obliterating an attack as we’ve seen, which is all the more notable because of the likely attackers.
In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.
Fortunately these days, Microsoft is sparing in its use of its power. But as I’ve noted before, we should never mistake Microsoft’s gentleness for weakness.
And anyway, what’s the point in having a Death Star if you don’t get to use it (for good) sometimes?