“SolarWinds and the Holiday Bear Campaign: A Case Study for the Classroom”
Lawfare, August 25, 2021
By Robert Chesney
“Author’s Note: Have you been looking for a detailed-but-accessible case study of the Russian cyberespionage campaign that targeted SolarWinds (among others)? The following piece is adapted from my newly-released eCasebook “Cybersecurity Law, Policy, and Institutions” (v.3.1), which is available free and in full (270+ pages) in pdf format here. My aim is for this excerpt to be useful especially for teachers and students who want an account that takes the technical aspects quite seriously but is written in a way that non-technical readers can digest. ”
Southwest Parkway is a wide and winding road that leads away from Austin towards the Texas Hill Country. Along its length are neighborhoods, schools, and long stretches of open landscape. It is not where one might expect to find the epicenter of a major cybersecurity episode. But Southwest Parkways also is where one can find the unassuming headquarters of SolarWinds, a name that burst into the headlines in December 2020.
SolarWinds specializes in network-management tools—that is, software that large enterprises use to monitor and control conditions throughout their information technology environment. Its products are in widespread use around the world, including a wide array of prominent private sector entities and government agencies. Among its most successful products is a network-monitoring system called Orion. Orion is an “on premises” platform, meaning that it does not reside in the cloud (that is, on remote servers controlled by SolarWinds itself). Rather, customers upload Orion as a software package installed on their own networks and run from there. And this has consequences for the process by which Orion periodically is updated. Like any software, Orion periodically requires updates both for security purposes and to improve performance. Thus, Orion customers periodically receive and routinely install from SolarWinds software updates, much as all of us periodically accept vendor-provided updates for the operating system on our phones. In both contexts, the provider “digitally signs” the update in a way that can be verified technically, ensuring that the update really is coming from the provider. Trusting that the provider took all necessary safety precautions, and often lacking the means to conduct an independent security check in any event, most of us accept these verified updates as a matter of course. This is true for us as individuals with our phones, and it is true to some extent for many a large organization, including those using Orion.
Therein lay an extraordinary opportunity for espionage. If a would-be spy could “trojan” an Orion update—that is, if one could find a way to embed malicious code somewhere within an otherwise legitimate update—then customers by the thousands would open their virtual gates and let that code into their networks. And given the particular function of Orion—spanning across a user’s IT infrastructure—the resulting backdoors, if employed discretely enough, might then pave the way for deployment of further malware directly into those now-compromised networks. The end result could be an intelligence bonanza.
The opportunity would have been tempting for any foreign intelligence service engaged in collection against the U.S. government. And at least one such service did spot it: Russia’s Foreign Intelligence Service, better known in English as SVR (Sluzbha Vneshney Razvedki).
SVR has a well-deserved reputation for its ability to conduct espionage through cyber means. Hackers associated with SVR sometimes are referred to as “Advanced Persistent Threat 29” (APT29), under the anodyne labeling system frequently used in the information security industry as a way to track government hackers without having to expressly attribute particular campaigns or entities to the actual government involved. Others have used the label “Cozy Bear,” following the more-entertaining naming system popularized by Dmitri Alperovich and the security firm CrowdStrike. With Crowdstrike’s nomenclature, groups believed to be linked to the Russian government are named some variation of “Bear.” A group thought to be associated with Russia’s military intelligence agency (GRU), for example, are known in this system as “Fancy Bear.” And so, when a possibly new group of hackers linked to Russia emerges, a new name may follow. And in this case, when the SolarWinds story began to break in December 2020, the initial framing offered by Dmitri Alperovich was the seasonally appropriate “Holiday Bear.”
Since that time, attribution has focused firmly and reliably on SVR, but I will still refer periodically to Holiday Bear. This will remind us that analysts wrestling with attribution amidst unfolding attacks often are drawing on forensic and contextual clues that may be specific to specific groups within larger organizations.
What follows is a detailed account of the complex sequence of operations SVR conducted as part of the Holiday Bear campaign. As we shall see, exploiting SolarWinds was a central part of the campaign, but there is far more to the story than that (indeed, the intense media focus on SolarWinds has had the unfortunate effect of deflecting attention from the shortcomings of other companies and government agencies).
Step one: accessing the SolarWinds “build environment”
It is one thing to recognize that SolarWinds customers might not detect a trojaned Orion update, but quite another to compromise the update system in the first place. The task SVR first faced, accordingly, was to sort out how it could penetrate without detection the “build environment” (aka “development environment”) used by SolarWinds engineers to draft and tinker with Orion’s code. Then SVR would need to find a way to inject malicious code into an Orion “build” without detection. These were tall orders.
About the Author:
Bobby Chesney is the Charles I. Francis Professor in Law and Associate Dean for Academic Affairs at the University of Texas School of Law. He also serves as the Director of UT-Austin’s interdisciplinary research center the Robert S. Strauss Center for International Security and Law. His scholarship encompasses a wide range of issues relating to national security and the law, including detention, targeting, prosecution, covert action, and the state secrets privilege; most of it is posted here. Along with Ben Wittes and Jack Goldsmith, he is one of the co-founders of the blog.
- “Cybersecurity Law, Policy, and Institutions” (v.3.1) by Robert Chesney.