Last week, Microsoft announced that Nobelium, an expert piracy group associated with the Russian SVR and behind the SolarWinds attack last year, was involved in fishing attacks against thousands of accounts of hundreds of government agencies and human rights. Today we offer an update of our ongoing research on these attacks and share an important context, as we have all had the opportunity to learn more.
Because we have notified our target customers and closely observed other reports, we still do not see evidence of any significant number of organizations engaged at this time. Antivirus services, such as Microsoft Defender Antivirus, and endpoint detection and response products, such as Microsoft Defender for Endpoint, identify and protect against malware used in this wave of attacks and work in combination with Microsoft Defender for in Office 365. Keep an eye on the situation, but so far this is good news.
We should also start putting into context last week’s wave of attacks. Why was it important to publicize these attacks? How important are these attacks? And what do we think should be done?
At Microsoft, we receive more than eight trillion signals every day from our network. Our cyber experts use advanced technology and deep experience to comb this data to detect signs of attacks, so we can notify and protect our customers. We also share information about attacks we uncover with the public so that other people in government and the private sector can take action to defend themselves from adversaries and so that policymakers can be well informed.
Last week’s fishing attacks were important to reveal because they were evidence of a new campaign from a sophisticated opponent. We saw and publicly shared Nobelium’s extensive experimentation in the early stages of his campaign: experiments consistent with Nobelium’s established practice to avoid detection and remain persistent in victim networks. We wanted the government and private sector advocacy community to have this technical information as soon as possible. Our disclosure has already gained benefits as CISA, the U.S. agency most responsible for our civilian cyber defense, used our information to identify and help protect more potential victims.
But not all attacks are the same, and therefore not all attacks require the same response. Last week’s fishing attacks were a far cry from the ransomware attacks that have shut down local government agencies in the United States in recent years, disrupted health care, and, more recently, stopped the flow of oil. to the colonial pipeline.
So how should the government respond to last week’s attacks? Some argue that governments have been involved in espionage against each other for millennia and will continue to do so in the Internet age. They say last week’s fishing attacks were “espionage as usual” and therefore do not need any meaningful government response. Let’s examine this claim, with which we largely agree, comparing last week’s fishing with last year’s Nobel SolarWinds attacks.
Some called the SolarWinds attacks “espionage as usual.” We do not agree. SolarWinds attacks can be distinguished from expected espionage in two important ways. First, the attack corrupted and used the SolarWinds software update process. Online updates indicate how all vendors keep their customers safe and trustworthy. The use of malicious updates destroys this trust and risks the security of the entire digital ecosystem. In addition, SolarWinds attacks were indiscriminate. Although the malicious software that opened backdoors for the attacker was installed on more than 18,000 networks, the U.S. government has only found about 100 victims who had actually used those backdoors for espionage purposes. This excessive and indiscriminate attack caused business unrest and unnecessarily imposed significant costs on 18,000 organizations and businesses. This is not “espionage as usual.” Last week’s fishing attacks, on the other hand, focused on espionage targets and did not corrupt a basic process essential to the security of the digital ecosystem. And due, in part, to being captured early and to good defensive technology, last week’s attacks were unsuccessful.
However, more shocking attacks continue to occur between nation states. With SolarWinds, the Exchange server has been attacking since the beginning of this year and now this fishing attack, it is clear that we need to accelerate the work of the private sector and government to address our collective cybersecurity.
First, we must work to defend better. The best defense is to move to the cloud, where the most secure technology from any cloud provider is always up to date and where the fastest security innovations occur. All users should also use two-factor authentication and other basic cybersecurity hygiene. The Biden Administration has taken an important step towards advancing our defense in the publication of the recent Executive Order on Cybersecurity. This EO, which will require strong collaboration between the public and private sectors to fully implement it, will significantly improve the security of government agencies and the technological ecosystem by and large. The OE is a reflection of this administration’s unprecedented commitment to cybersecurity. During the Hafnium / Exchange Server attacks earlier this year, the White House also led the formation of both an informal working group and a formal uniform coordination group that included, for the first time, the private sector. along with government agencies, creating coordinated efforts that only caused minor impacts from these attacks. We must continue to work collectively to improve our defense.
Second, we must work to deter harmful attacks. Once again, this administration has already taken important steps. He attributed SolarWinds to Russian intelligence agency SVR faster than the United States has ever publicly attributed a cyberattack to a foreign nation. He also imposed sanctions for this and other actions, an essential step to deter him. Yes, more needs to be done. The international community must define and agree on clearer rules for the conduct of nation-states and must communicate clear and expected sanctions for non-compliance with these rules. For example, what exactly is “habitual espionage” that should be tolerated and when does that line cross? Progress is being made through the Paris Call for Confidence and Security in Cyberspace, established in 2018, which we hope the United States will join now. Recent United Nations processes also lead to consensus reports that will support the international effort to define these rules, and the Oxford Process has convened leading global experts in international law to define how international law applies to cyberspace. . All of these steps are encouraging.
Progress must continue. At Microsoft, we will continue our efforts on all of these issues and continue to work with the entire private sector, with the Administration and with other interested governments to achieve this progress. Achieving stability requires time and work, but it will be a well-dedicated time.
Tags: cyberattacks, cybersecurity, malware, Nobelium, phishing, SolarWinds