2020 has been a norm-shattering year in the physical world as well as in the cyber-verse because of two unwelcome guests: a biological virus named SARS-CoV-2, and a man-made malware named ‘Sunburst’. While much has been written about the response of the Indian government in the public domain about how it handled the biological virus, just two words are sufficient to describe its public response to the latter: dangerous ignorance.
An explanation about the malware named Sunburst is essential before we go any further.
Viruses and the internet
Modern computers are general purpose instruction processors and can run any program as long as the program is expressed as a sequence of instructions. A malware is a special type of program, handcrafted to bring the computer under the control of the attacker and make it do whatever they want, even though the owner of the device still retains possession.
Hence they were called computer viruses, a term that is now stuck in the popular imagination because of the behavioural similarities with biological viruses.
The detection and mitigation of these computer viruses is done by another set of programs called anti-viruses, which scan the machine’s memory, hard disks and internet connections to identify abnormal behaviours. The anti-viruses leverage almost the same mechanisms as the computer virus — clamouring to surveil the same resources — competing with each other. These programs run at a higher privilege level to the machine than normal programs and can terminate each other at the opportune moment, similar to how our body’s immune system can terminate virus infected cells or vice versa.
Networked computers are the norm nowadays and hence companies invest in network monitoring solutions to keep a watch on their internal networks. Defense is merely re-purposed offence. The monitoring solutions have special privileges similar to the anti-virus programs, but for the entire internal network, and hence have full visibility and access into all the digital assets of companies. One such monitoring solution is Orion Platform, developed by SolarWinds.
Automatic updates turn virus carrier
Hackers employed by Russia’s foreign intelligence service (SVR), successfully penetrated the development infrastructure of Orion Platform and planted the Sunburst malware in March 2020, which then got distributed to at least 18,000 customer networks before it was detected.
The extent of infection was very large because modern software is distributed through the internet and the often repeated thumb rule to keep systems safe is “enable automatic updates”. The Sunburst attack hence is very scary for computer security professionals because a typical enterprise deploys hundreds of software solutions and almost all of them are automatically updated by software vendors on a continuous basis over the internet.
If a state (Russia) in an attempt to conduct an espionage operation on another state (in this case the United States), can go to the extent of penetrating a software vendor, plant a malware in its product, which is then distributed worldwide because of the automatic updates route, what then is the value of advice such as: “keep the infected software updated to the latest version”?
Imagine a drug company producing cholera vaccine, which is then distributed to a large number of hospitals to fight the disease across the world. And then, by serendipity, someone discovers that the entire batch produced between a time period, has been faulty because of a manufacturing defect deliberately introduced by a third party actor, what would be the recommendation of a government drug authority?
The most sensible recommendation would be to stop using the manufacturer’s vaccine and order an impact analysis on those who have been given the faulty dose and mitigate the adverse effects. In a similar manner, the most sensible recommendation by the government’s cyber security body, when it comes to know about malware being distributed through the auto-update feature of a network monitoring product, would be to stop using it and order an impact analysis and undertake remedial measures.
This is precisely what the Department of Homeland Security (DHS) did in the US. In an emergency directive, it ordered all government departments and companies in the US to:
● Disconnect or power down Orion products from its networks
● Treat all computers monitored by the Orion monitoring software as compromised by threat actors
● Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised
● Block all traffic to and from hosts, external to the enterprise, where any version of Orion software has been installed
Now consider the response of the Indian Cyber security agencies to this incident.
1. ICERT (Computer Emergency Response Team) issued an advisory CIAD-2020-0084, which simply repeats the advisory from SolarWinds.
2. NCIIPC (National Critical Information Infrastructure Protection Center), the nodal agency, for protecting critical infrastructure, issued an advisory to update the infected product and linked the advisory from SolarWinds.
Reputed threat intelligence analyst, Pukhraj Singh, pointed out how the response shows that very few operators working with NCIIPC have actual strategically-relevant experience or understanding, as they recommend updating software using a compromised supply-chain.
In a world, where nation states act with a recklessness that severely undermines trust and reliability on critical infrastructure to further their own agenda, the response by ICERT and NCIIPC indicates to other threat actors, that even at the top tier, the Indian state needs to build greater capacity to understand the nature of these complex threats.
(Anand Venkatanarayanan researches disinformation, cyber weapons and data security and is a vocal privacy advocate.)