Nation-State Cyberattacks: SolarWinds, Microsoft Just the Beginning

There's likely another massive nation-state attack taking place undetected right now.

Edward Gately, Senior News Editor

March 12, 2021

11 Min Read
Nation-State Cyberattack
Shutterstock

As SolarWinds and Microsoft continue dealing with massive nation-state cyberattacks, there’s no doubt another big one is taking place right now that nobody knows about.

That’s according to Eric Bednash, RackTop Systems‘ CEO. He sees a rise in nation-state cyberattacks destabilizing the United States. He points to SolarWinds and Microsoft as recent examples, and says there will be more nation-state cyberattacks in the name of destabilizing U.S. democracy.

The National Security Agency (NSA) recruited Bednash as a white-hat hacker after 9/11. Later, he co-founded RackTop to defend against nation-state cyberattack scenarios.

In a Q&A with Channel Futures, Bednash talks about the growing threat of nation-state cyberattacks.

Channel Futures: How are nation-state cyberattacks like SolarWinds and Microsoft destabilizing the U.S.?

Eric Bednash: When you get a supply-chain attack like SolarWinds, it starts to erode the trust that you have in these products to run these systems and serve customers, or move money or anything like that. And then as soon as you lose trust, then you have fear. Then fear leads to irrational behavior and knee-jerk decision making. And the next thing you know, it’s like this whole system starts to break down, and you can have this big destabilizing effect and it’s like dominoes.

Bednash-Eric_RackTop-Systems.jpg

RackTop Systems’ Eric Bednash

The most tangible non-IT related event to reference is the pandemic. That had a massive impact on our economy, so you just apply that and think about a critical system, like Microsoft’s email systems. There are millions of people that rely on that to provide services and even the government to other people and other citizens. And the minute that starts to break down, that trust starts to break down. That’s when things start to fall apart. And that’s really what I think the bigger issue is with some of these these more critical attacks like SolarWinds. The effects are much deeper than just putting out a patch and affecting a small number of people.

CF: Why are nation-states increasingly carrying out these attacks? And how are these nation-state cyberattacks succeeding?

EB: Motives are going to vary across the board. If you look at nation-states, this really comes down to resources — so people, money and time. These are well-funded organizations with highly skilled people with time on their hands and a strategic, specific objective. And those objectives vary. So the objective could be anything from, as we saw a couple of years ago, interference in an election. It could be to interrupt commerce. It could be to obtain information. So, really, the motives are going to vary across the board.

And then how are they succeeding? It really comes down to — they have the means to succeed. I think that’s the real difference between some random person who learns about an exploit or vulnerability and then uses some tool to hack into somebody’s system. There’s a big difference between that and a nation-state attack, which is applying resources, people and time to achieve a strategic, specific objective, whatever that may be, and then executing on that. I think those are the ones like SolarWinds and others. Those are the ones that hurt the most. And you have the deepest impact to our to our economy or to our government.

CF: What sort of continued fallout/damage are you anticipating from the Microsoft nation-state cyberattack?

EB: The continued fallout is you’re not really going to know how …

… much information was stolen or taken depending on the type of attack it was. And I think with Microsoft, you had this sort of quick follow-up. So everybody was dealing with that. Then there were some zero-days announced and then you had some follow-on attacks. So you have other organizations or other nation-states taking advantage of information that was put out there. And then now you’re dealing with individuals trying to catch up with that to patch their systems. We just had another one that affected not Office 365, but on-premises exchange servers, unpatched exchange servers.

Overall, we’re going to continually be picking up the pieces over and over again. There’s also a heightened sense of, there are vulnerabilities exposed, so more people are going to start to go after that, those who are interested in utilizing those to their advantage. So that’s what we’re going to be looking at for at least the short term until the next thing happens. And then we’ll start focusing on that.

CF: What aren’t organizations doing that they should be doing to better protect themselves and their customers from nation-state cyberattacks?

EB: I think this is the fundamental problem with that sort of thinking universally. We’ve focused on security as keeping people out, and that was a logical approach for a long period of time. I think that’s the No. 1 problem we have overall. And this is what organizations are not doing. They’re not thinking about the problem in the 2021 mindset or they’re not looking at it from the right perspective. They need to flip that thinking around and start to look at what it is they’re trying to protect. The bad guys are coming in, whether you want them to or not. It’s happening and it’s going to happen over and over again. So you have to stop thinking about ways to keep people out and think about what you can do to protect your most valuable assets once they’re in.

CF: Are these nation-state cyberattacks strategic in who they’re targeting? What makes a particular organization the optimum target for destabilizing the U.S.?

EB: Our global economy forces everybody to be strategic. There are always going to be constraints put around anybody who is willing to do this. So that forces people to be strategic. The motives may be different, and those motives may be driven by different time-sensitive issues. There may be a certain event that’s occurring that somebody wants to get after … like affecting the elections and things of that nature. Those are time-sensitive types of attacks. Those are extremely strategic because they have more finite bounds around them. You had the water plant in Florida that was the target of an attack. There were a lot more people in Tampa for the Super Bowl, so they’re going to attack that water supply.

Another mistake people make is, well, “no one cares about me.” Well, maybe they don’t care about you now, but they will care about you later because eventually your organization may be between them and something they want. And when you’re in that position, now you are a target. And if you’re not prepared, it’s going to be really easy to go ahead and infiltrate what you’re doing, exploit what you’re doing, and then cause damage to destabilizing the U.S. It’s really the relevance of what you’re doing relative to what those nation-states want to get after.

CF: Can we expect to see more of these nation-state cyberattacks in the coming months?

EB: Absolutely we’re going to see more. There is probably another one that we don’t even know about yet. We’ll find out about it later and we’ll find out that it happened months ago. And the impact of these types of attacks have only accelerated and have been more damaging over the last few years. You can’t believe that things are …

… going to slow down because the data proves otherwise. So I believe that we’re definitely going to continue to see more of these because they’re also effective.

If SolarWinds said that 10 people were affected and nothing bad happened, we won’t be talking about it anymore. But it affected lots of people and the government, and we have no idea what the actual impact was. We still can’t. It’s going to be 18 months before we actually figure it out and something else is going to happen in the interim.

APT Groups Exploiting Recent Microsoft Exchange Vulnerabilities

ESET Research has discovered more than 10 different advanced persistent threat (APT) groups are exploiting the recent Microsoft Exchange vulnerabilities to compromise email servers.

ESET has identified more than 5,000 email servers affected by malicious activity related to the incident. The servers belong to organizations around the world. That includes businesses and governments, including high-profile ones. Therefore, the threat is not limited to the widely reported Hafnium group.

In early March, Microsoft released patches for Exchange Server 2013, 2016 and 2019. They fix a series of pre-authentication remote code execution (RCE) vulnerabilities. The vulnerabilities allow an attacker to take over any reachable Exchange server. Furthermore, they don’t need to know any valid account credentials, making internet-connected Exchange servers especially vulnerable.

Matthieu Faou is a malware researcher at ESET.

Faou-Matthieu_ESET.jpg

ESET’s Matthieu Faou

“The intent is cyber-espionage, meaning that attackers are trying to steal documents about sensitive topics, intellectual property, etc., from governments and strategic private companies (defense or medical companies, for example),” he said. “So the damage is not visible at first (no ransomware or such), but it can have a long-term impact.”

It’s important to make sure critical applications, such as Exchange or Microsoft SharePoint, are not open to the internet, Faou said. He advises putting them behind a VPN only accessible to the company’s employees.

“It is likely that tens of thousands of servers were compromised,” he said. “However, it doesn’t mean that attackers will actually connect back and steal information on all those machines. They were doing mass exploitation and are probably checking who the victims are afterward to decide if they’re interesting or not.”

Sumo Logic Acquiring SOAR Software Provider

Sumo Logic is acquiring DFLabs, a provider of security orchestration, automation and response (SOAR) software.

The acquisition will extend Sumo Logic’s cloud-native SIEM to help reduce or eliminate tedious and error-prone manual tasks. SOC teams can accelerate threat detection, analysis, incident response and forensic investigations.

The acquisition should close later this year.

Greg Martin is vice president and general manager of Sumo Logic’s security business unit.

“The acquisition will not only broaden Sumo Logic’s portfolio, but also a …

… rich joint ecosystem of customers and partners including MSPs, MDRs and VARs, to help address the challenges of development, operations and security teams from a single continuous intelligence platform,” he said.

Martin-Greg_Jask.jpg

Sumo Logic’s Greg Martin

Partners can embed Sumo Logic’s existing security solutions and a leading SOAR solution into their managed services offerings, Martin said. That will increase reliability, deliver more value and improve customer experience.

The addition of DFLabs to the Sumo Logic Continuous Intelligence Platform will give customers of varying sizes and maturities cloud-native security intelligence solutions built for digital businesses that leverage modern applications, architectures and multicloud infrastructures.

Sumo Logic customers and partners will see as much as 10 times improvement in SecOps productivity when implementing the DFLabs SOAR offerings, Martin said.

As part of Sumo Logic’s Continuous Intelligence Platform, the company will expand its security intelligence portfolio with the launch of the Sumo Logic SOAR solution. It should be available shortly after the closing of the transaction.

Sumo Logic SOAR will join the company’s Cloud SIEM offering as part of the Sumo Logic security intelligence suite of offerings including security analytics and security compliance.

“DFLabs’ partners will continue to benefit from the product they’ve been utilizing, but also gain access to a best-in-class, cloud-native security operations solution anchored by Sumo Logic Cloud SIEM to investigate and respond to threats faster while improving SecOps productivity,” Martin said.

DFLabs will fully integrate into the Sumo Logic’s portfolio, brand and structure.

Snyk Closes $300 Million in New Funding

Snyk, a cloud-native application security provider, has closed a Series E financing totaling $300 million. The company has now raised $470 million to date.

Accel and Tiger Global led the funding round. This investment allows Snyk to meet global demand for the company’s security platform.

Peter McKay is Snyk‘s CEO.

McKay-Peter_Snyk.jpg

Snyk’s Peter McKay

“Snyk started very early with the investment in the channel across Europe,” he said. “With this recent round of funding, we will be increasing our investments into the Snyk partner community, including headcount, margins and additional channel-specific incentives. [This] will be a big year for channel partners looking to be part of the intersection of massive digital transitions and cybersecurity.”

Snyk’s channel partners are critical to growing the company’s business to meet global demand for its platform McKay said.

“As the application security market shifts left, or moving security checking earlier in the software development process, channel partners will also shift their focus to servicing the developer, DevOps, DevSecOps persona,” he said. “If they stay focused on selling legacy tools to and for security, they will also become a legacy partner.

Read more about:

MSPs

About the Author

Edward Gately

Senior News Editor, Channel Futures

As senior news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like