“Now witness the firepower of this fully armed and operational Battle Station.” – Emperor Palpatine, Return of the Jedi
This week, Microsoft took a series of dramatic steps against the recent attack on SolarWinds’ supply chain. In the magnitude, speed, and breadth of its actions, Microsoft has reminded the world that it can still muster firepower like no other as an almost overwhelming force for good.
Through four steps in four days, Microsoft has strained the power of its legal team and its control over the Windows operating system to almost wipe out the actions of some of the most sophisticated attacking hackers out there. In this case, the opponent is believed to be APT29, also known as Cozy Bear, the group that many believe to be associated with Russian intelligence and best known for carrying out the 2016 hack against the Democratic National Committee (DNC) .
While more and more details are emerging, the SolarWinds supply chain attack is already the most significant attack in recent memory. According to SolarWinds, Microsoft, FireEye and the Cybersecurity and Infrastructure Security Agency (CISA), the attackers compromised a server used to build updates for the SolarWinds Orion Platform, a product used for IT infrastructure management. The attackers used this compromised build server to insert backdoor malware into the product (named Solorigate from Microsoft or SUNBURST from FireEye).
According to SolarWinds, this malware was present as a Trojan in updates from March to June 2020. This means that all customers who downloaded the Trojan updates also received the malware. While not all customers who have received the malware have seen it used for attacks, it has been used for wider attacks on the networks of some strategically critical and sensitive organizations.
Including FireEye, the U.S. Treasury Department, the National Telecommunications and Information Administration (NTIA) of the U.S. Department of Commerce, the Department of Health’s National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Department of Homeland Security (DHS) and the United States Department of State.
Anyone who has worked directly on this case has spoken out about the sophisticated nature of the attack. The breadth, strategic importance and safety expertise of the victims confirm this. While nearly every attack is called “sophisticated” by victims trying to protect themselves from criticism, the security community is almost unanimous that the term is appropriate in this case.
The speed, breadth and scale of Microsoft’s response were unprecedented. Specifically, Microsoft did four things over the course of four days that effectively undone the attackers’ work.
1) On December 13, the day this went public, Microsoft announced that it had removed the digital certificates that used the Trojan files. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this one act, Microsoft literally told all Windows systems overnight to stop trusting those compromised files, rendering them unusable.
2) That same day, Microsoft announced that it was updating Microsoft Windows Defender, the anti-malware capability built into Windows, to detect and warn if it found the Trojan file on the system.
3) Then, on Tuesday, December 15, Microsoft and others moved to “sinkhole”, one of the domains the malware uses for command and control (C2): avsvmcloud[.]com. SInkholing is a legal and technical tactic to take control of malware from attackers. In Sinkholing, an organization like Microsoft is going to court to take control of a domain used for malicious purposes away from its current holder, the attacker.
If successful, the organization could use ownership of that domain to break the attacker’s control over the malware and the systems that the malware controls. Sinkholed domains can also be used to help identify compromised systems: When the malware contacts the sinkholed domain for instructions, the new owners can identify those systems and try to locate and alert the owners. Sinkholing is a tactic first used in major attacks in the 2008-2009 fight against Conficker and has been a standard tactic in Microsoft’s toolkit for years, including most recently against TrickBot.
4) Finally, today, Wednesday, December 16, Microsoft essentially changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. This action is also important, as it is now licensing other security companies to follow this drastic step: Microsoft’s size and leadership on its platform provides coverage to other security companies they otherwise would not would have.
Taken together, these steps amount to Microsoft first neutralizing and then killing the malware, while the attackers take control of the malware infrastructure. By the end of this week, the attackers will have barely a fraction of the systems under their control.
They may still have access to compromised networks in other ways – that’s what incident responders are likely working on right now. And whatever they did cannot be reversed as the infiltration went unnoticed for months. Yet these actions converge as close to wiping out an attack as we’ve seen, which is all the more remarkable given the likely attackers.
Ultimately, this reminds us all how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world almost overnight if it so chooses. And when it chooses to train that power on an opponent, it really is the Death Star’s equivalent: capable of completely destroying a planet in a single explosion.
Fortunately, Microsoft uses its power sparingly these days. But as I noted before, we should never confuse Microsoft’s mildness with weakness.
And anyway, what’s the point of having a Death Star if you can’t use it (for good) sometimes?