Research Group on 'Russia in an Era of Great Power Competition' FY2021 － #1
"Research Reports" are compiled by participants in research groups set up at the Japan Institute of International Affairs, and are designed to disseminate, in a timely fashion, the content of presentations made at research group meetings or analyses of current affairs. The "Research Reports" represent their authors' views. In addition to these "Research Reports", individual research groups will publish "Research Bulletins" covering the full range of the group's research themes.
On April 13, 2021, US President Joe Biden held a telephone conversation with Russian President Vladimir Putin to discuss several issues that are hindering US-Russia relations. Two days later, the White House announced economic sanctions and other retaliatory measures, saying that these would impose costs for Russia's harmful activities. This statement gave a relatively detailed description of a cyberattack using SolarWinds products that surfaced in December 2020. On April 15, 2021, the same day that the retaliatory measures were announced, US and UK intelligence agencies officially designated Russia's Foreign Intelligence Service (SVR) the responsible party for the first time.1 This article discusses some of the cybersecurity issues in US-Russia relations, focusing on the issues surrounding SolarWinds products, and uses part of my manuscript written in February 2021 for a report by the Japan Institute of International Affairs' Russian Study Group, with some additions made based on developments in April and May.2
SolarWinds Cyberattack Revealed
On December 8, 2020, security firm FireEye's Kevin Mandia announced that it was teaming up with the US government and Microsoft to conduct an investigation involving a number of US agencies after detecting breaches and discovering cyberattacks employing the highest levels of state capabilities against these agencies. In a December 13 update, FireEye noted that a piece of malware (a virus or other malicious program) it called SUNBURST had spread across many systems around the world in the form of updates to SolarWinds' widely-used Orion Platform network management software, creating backdoors and carefully stealing information.3
Trend Micro reported that, as of December 16, 53% of the cases in which SUNBURST had been detected were in the United States, 9% in Canada, 7% in Argentina, 6% in the United Kingdom, 4% in Australia, and a limited number of cases in Japan.4 The Treasury, Commerce, Defense, Homeland Security, State, Justice and Energy departments as well as other US government agencies were reportedly on the list of organizations harmed.5 Several email accounts were reported to have been compromised, but these departments and agencies have not said how much confidential information that should never be accessible by outside parties had been compromised.
Subsequent research by SolarWinds found that there had been unauthorized access in September 2019 and that the SUNBURST malware had begun spreading in March 2020, possibly affecting about 18,000 update file downloads. Information may have been stolen without anyone knowing for up to nine months.
The salient feature of this case is that it was very difficult to find the problem because the malware was skillfully exploiting a very advantageous position. As a backdoor built into the Orion Platform, SUNBURST was in a position to operate unnoticed. Typically, malware that has caused damage is analyzed by security companies and its signature widely distributed. Anti-malware software updates its malware signature list, and any software that matches the new list is considered malware and removed from the system. If unknown malware exploits an unknown vulnerability called "zero-day", security software with Endpoint Detection and Response (EDR) capabilities can monitor data flow, detect suspicious mass transmissions or suspicious access to special data, and help identify the presence of malware. However, because SUNBURST lurked inside the genuine digitally-signed Orion Platform updates and collected information amidst widespread network surveillance activities known to be performed by the legitimate Orion, it was very difficult to determine that Orion was acting suspiciously. In addition, SUNBURST disabled many of the terminal security tools.
As such, SUNBURST is a sophisticated attack that has been developed and operated much more ingeniously than conventional means, and Microsoft president Brad Smith estimates that this is the most widespread and sophisticated attack in history, requiring more than 1,000 engineers.6
Such sophisticated cyberattack groups are called Advanced Persistent Threats (APT). A significant amount of organizational power is required to identify unknown vulnerabilities, develop methods to exploit them, and implement these methods carefully to avoid exposure. Cybercrime is also becoming more sophisticated, but the profit motive that drives criminals affords victims a relatively good number of opportunities to recognize the harm being done. Many APTs, on the other hand, are considered to be government-directed because they continue to act in ways designed to avoid exposure and with motives consistent with particular national interests. Key APTs include organizations believed to belong to the governments of Iran, China, North Korea, Russia and Vietnam.
In fact, SUNBURST remained undetected and widely infiltrated systems for up to nine months, stealing information from a small number of specific organizations--this means that considerable technical capabilities have been dedicated to creating the malware, and that the attack was at a much higher level than those carried out by ordinary cybercrime groups. Reports early on suggested that SUNBURST was the work of APT 29 (or "Cozy Bear"), belonging to Russia's Foreign Intelligence Service (SVR). Security expert Dmitri Alperovitch says circumstantial evidence suggests that it comes from SVR, and that the group is focused more on espionage than sabotage.7
Issues surrounding US retaliation
As soon as the SolarWinds case became widely known in December 2020, media reports pointed to the Russian government as the culprit, but it took time for US government agencies to officially name the Russian government.
Among senior US officials' comments shortly after the incident became public, US Secretary of State Mike Pompeo described it as an attack by Russia, while President Donald Trump tweeted that it could also have been carried out by China. According to a joint statement issued by the US intelligence community on January 5, 2021, up to 18,000 organizations may have been affected but real espionage actiities took place in only a very small number of organizations, and that the investigation was still ongoing; the statement went no further in identifying the perpetrator than stating that it was an APT, possibly of Russian origin.8
In the United States, the issue of retaliation against Russia has become a hot topic but espionage and cyberspace pose inherently difficult challenges. The classic retaliation for espionage of expelling suspected agents does not appear to be an effective counterattack that weakens their ability to conduct cyberespionage. If similar cyberespionage is to be taken against Russia in retaliation, then one would expect it to be underway already, and the US government would not necessarily disclose this response to prove its retaliation. In such an instance, the public impression would be that the current US administration has been hit by a cyberattack but not struck back.
Furthermore, engaging in cybersabotage that causes visible damage is an obvious option for retaliation, but this represents an escalation from espionage to sabotage, and one would need to be prepared for an escalated counterattack. Because the United States has innumerable vulnerabilities in cyberspace subject to counterattacks that could inflect significant damage on American society, retaliating with an acceptance of that risk is considered very difficult. For example, the Obama administration repeatedly considered the possibility of retaliation but ultimately refrained.9
However, as Russia's cyberattacks on the United States grow in sophistication and continue, there are growing calls for some form of retaliation. James Lewis, director of the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS), suggests devising a retaliatory strategy that imposes costs. For example, the Russian government would feel the cost if exposure of corruption in Russia steered people's dissatisfaction toward their government.10
This example, however, has some difficulties in practice. If it is not known who exposed the corruption, it would be hard to see the US as having successfully retaliated against Russia. On the other hand, even if the source of the disclosures remains unknown, the Kremlin could regard the move as a serious attack by the United States, since those revealing the corruption would in some way be connected and supported by people in North America and Western Europe. Russia's stance on security in the information space, as apparent in the Information Security Doctrine of the Russian Federation, has long embraced the idea of taking measures to stop the US from attacking vulnerabilities in Russian society to bring about political destablization. For example, Russia's alleged efforts to divulge internal information and amplify antagonism through the misuse of social media during the 2016 presidential election can be interpreted as a painful and dissuasive form of retaliation or, in the broader sense, of deterrence, based on the perception that the United States first conducted operations against Russia and Ukraine. If an incident occurs that disrupts Russia's information space and impacts the country politically and socially, the perception and discourse that the United States is attacking Russia will intensify, possibly leading to a new type of attack seemingly launched by Russia. If that happens, the US will face the difficult question of whether to adopt a posture of striking further blows to Russia or take steps to control the level of escalation.
Indeed, the Biden administration's retaliatory measures announced on April 15, 2021 may have been based on such considerations. The White House statement officially named APT 29 belonging to the Russian SVR as the party responsible for the SolarWinds incident, described the case in detail and sent a message that the US takes issue with the attack. The statement highlighted a number of problems, including illegal information dissemination during the 2020 US presidential election; attacks and pressure on Ukraine including the occupation of Crimea; instigation of the Taliban in Afghanistan; and cyberespionage through SolarWinds software. Countermeasures to these included economic sanctions against targeted companies by the Treasury Department, the expulsion of 10 Russian diplomats, and stronger cybersecurity cooperation with allies.11
Some say that the US has been cautious in implementing such retaliatory measures.12 In fact, while it will impose economic sanctions on some tech companies working with the Russian government, it does not seem intent on causing any major damage to the SVR's core elements. In light of the problems described above, the US may have intentionally limited its retaliation in cybersecurity issues to methods and degrees that enable better escalation control. Another possible motive is that the US regards China as a much greater long-term challenge for the United States and thus seeks to maintain a stable even if low-level relationship with Russia. The Biden administration in an April statement said it hoped for a stable relationship with Russia, held a bilateral talk at the Arctic Council foreign ministers' meeting in May, and has scheduled a summit for June. Both the United States and Russia will continue both such efforts to stabilize the situation and their unstoppable rivalry in cyberspace for some time.
*This is an Ensligh translation of the original Japanese version published on June 8, 2021.