US Government agencies and companies come to grips with a massive Russian cyberespionage campaign.
Responding to Solorigate.
Developments in satellite technology.
Space Force continues to find its place in the Department of Defense and the Intelligence Community.
Space Force works toward building a Service culture.
The SVR scores a major espionage success against the US.
On December 13th security company FireEye disclosed its discovery of a major cyberespionage campaign that centered on exploitation of the software supply chain for SolarWinds' widely used Orion network management platform. Early reports suggested that the threat actors gained access to FireEye's red-teaming tools and were able to appropriate them for their own use, although no exploitation of those tools had been seen in the wild.
The campaign was soon determined to extend far beyond FireEye, and that FireEye deserved some credit for both its vigilance and prompt disclosure. SolarWinds soon thereafter acknowledged that it had become apprised of "a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020." This would appear to be the source of the FireEye breach, which is now known to have not been confined to FireEye. The attack involved the introduction of a backdoor into the Orion Platform. That backdoor was subsequently propagated in the form of a software update that contained the malware.
The potential risk may be very widespread: SolarWinds' customers include large corporations, government agencies, and military services. The Washington Post reports that five major US agencies—the Departments of State, Homeland Security, Commerce, and the Treasury, and the National Institutes of Health—are now known to have been affected. It's worth noting that a supply chain attack can be notoriously difficult to contain. The New York Times reports that "parts of the Pentagon" were compromised, though the extent is still unclear. A Pentagon spokesman told the Times, "The D.O.D. is aware of the reports and is currently assessing the impact."
The effects may well be international, too. The Telegraph reports that GCHQ is investigating the potential impact of the incident on the UK. The risk is complex: there is, of course, the risk that sensitive information British agencies may have shared with their US counterparts could have been compromised, or that Cozy Bear might have succeeded in executing a trans-Atlantic pivot. But the principal risk is more immediate and direct: SolarWinds' customers in the UK include the Ministry of Defence, the Cabinet Office, GCHQ, and other government organizations.
FireEye calls the backdoor "Sunburst." Microsoft's Security Response Center has a detailed account of how the malware functions; Redmond has called the complex attack "Solorigate." Both FireEye and Microsoft have upgraded their security products to include measures for detecting and protecting against the attack.
The incident isn't confined entirely to SolarWinds. CISA updated Alert (AA20-352A) to say that the SAML-abuse cyberespionage campaign wasn't confined to SolarWinds' Orion platform: "CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform. Specifically, we are investigating incidents in which activity indicating abuse of SAML tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs."
Russia's SVR foreign intelligence service appears to have been behind the campaign, the Wall Street Journal reports. The SVR has earned a reputation during operations against US campaigns in 2015 and 2016 for being quieter and less obtrusive than its GRU cousins. That seems to have been the case in the SolarWinds incident. FireEye has blogged that the threat actor's work was characterized by a:
"Light malware footprint: Using limited malware to accomplish the mission while avoiding detection,"
"Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity," and
"High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools."
Moscow denies having done anything, and regrets, Reuters says, the US rejection of bilateral cooperation. Such calls for international cooperation, usually although this time not yet accompanied by good-citizen expressions of a desire to see and weigh the evidence, routinely accompany the Kremlin's protestations of innocence in such matters.
The New York Times' review of the Solorigate affair puts the tally of affected networks, both government and corporate, at upwards of two-hundred-fifty. The campaign is thought to have succeeded, in part, because it was staged through servers in the US at a time when NSA and US Cyber Command were focused on election security and their own penetration of hostile infrastructure. The cyberespionage is unusually troubling because the persistence it established could amount to battlespace preparation for future destructive attacks.
Microsoft last week updated its account of Solorigate, the large cyberespionage campaign generally attributed to Russia's SVR. Redmond says the threat actors gained access to several of the company's source code repositories. The intrusion is believed to have been limited to inspection of the code. Microsoft reports that it found no evidence that any code had been altered, that it's contained and remediated the infestations it found, and that the company's "assume breach" approach to security limited the damage.
Whatever the SVR has obtained from its quiet, months-long shuffle through American networks (and NBC News, with good reason, calls the SVR's operation "close to a worst case scenario") it's likely to be large and serious. Not an act of war, probably, nor the long-predicted "cyber Pearl Harbor," but more serious than most espionage operations because of the campaign's potential as battlespace preparation. An op-ed by former US Homeland Security Advisor Thomas Bossert probably has it right in saying that the breach is "hard to overestimate." Bossert's assessment is worth quoting at some length:
"The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian SVR will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call 'persistent access,' meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
"While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.
"The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying."
Responding to Solorigate.
In response to the incident, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, outlining immediate steps Federal agencies should take to protect themselves from attacks exploiting the backdoor. The agency is particularly concerned to warn enterprises against the possibility of kerberoasting, an attack technique in which credentials are stolen from memory and then cracked offline.
A joint statement yesterday from the US FBI, CISA, and ODNI says that the Government has invoked Presidential Policy Directive (PPD) 41 to establish a Cyber Unified Coordination Group to coordinate a whole-of-Government response to the Russian cyber operation that exploited SolarWinds' Orion platform. The FBI has the lead for threat response. It's investigating for purposes of attribution, pursuit, and disruption of the threat actors. It's presently doing so by engaging with "known and suspected victims." CISA, the Cyberspace and Infrastructure Security Agency, has the the lead for asset response activities. Emergency Directive 21-01 was its first step in helping contain and remediate the damage. The Office of the Director of National Intelligence is coordinating the Intelligence Community's collection and analysis of the incident.
According to KrebsOnSecurity, FireEye, Microsoft, and GoDaddy cooperated on a response to the SolarWinds compromise by establishing a killswitch to disable Sunburst backdoor instances still beaconing to their original domain. As FireEye said in widely quoted statement, "this actor moved quickly to establish additional persistent mechanisms to access...victim networks beyond the SUNBURST backdoor," so the killswitch, while a welcome contribution, is very far from representing a thorough remediation, and the three companies understand that. BleepingComputer has a summary of what's publicly available so far. The participants have been tight-lipped about the details.
ZDNet reports that Microsoft has seized and sinkholed the domain that served as a command-and-control server for the malware used in the operation. Microsoft Defender also began blocking known malicious SolarWinds versions: the company states that it "will quarantine the binary even if the process is running."
In a security advisory, SolarWinds urges its customers to "upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible." CISA has reviewed the fixes and directed all Federal organizations to upgrade their SolarWinds Orion instances to version 2020.2.1.
Mopping up after the SVR's cyberespionage campaign will be arduous. SecurityWeek quotes Bruce Schneier to the effect that the only way to ensure a network is secure after this kind of breach is "to burn it down to the ground and rebuild it." "It's going to take a lot of digging, " a US Defense Department source told C4ISRNet, and TechCrunch is even glummer. To its headline question, "Just how bad is that hack that hit US government agencies?" TechCrunch answers in the lede as follows: "Spoiler: It's a nightmare scenario." And that indeed seems to be the consensus.
All Defense contractors should take Solorigate into account as they prepare their Cybersecurity Maturity Model Certification (CMMC). C4ISRNet describes how the Department of Defense program is shaping up. It also has an account of how some companies are approaching the challenge. Forbes sees the incident as more reason for greater involvement in security on the part of corporate boards and (especially) the boards' audit committees; ThinkAdvisor extends that advice to advisory bodies. And Lexblog offers a useful short list of immediate action:
"Mirror impacted systems to preserve forensic data for further investigation
"Deactivate the platform
"Retain the services of a firm with expertise in cyberthreat hunting to actively look for anomalies in the business' systems and networks
"Change all passwords and account credentials
"Implement multifactor authentication
"For firms currently using 128-bit encryption, upgrade to 256-bit encryption
"To the extent that the Orion Platform was part of an entity's cyber risk management strategy, alternative processes and procedures should be implemented."
Developments in satellite technology.
Space Force intends to expand its partnership with commercial satellite companies, Breaking Defense reports, adding that the 2021 NDAA expresses a Congressional desire that the Service significantly and rapidly expand its use of commercial tracking services.
According to C4ISRNet, Lockheed Martin has prepared the fifth geosynchronous Space Based Infrared System satellite (SBIRS GEO-5) for 2021 launch. Via Satellite reports that SBIRS GEO-6 should be ready to fly in 2022.
The fourth GPS-III satellite, which was carried into orbit on November 5th aboard a SpaceX Falcon 9, has achieved operational acceptance by US Space Force. C4ISRNet says that the satellite reached that goal ten days faster than any of its predecessors, a tribute to an expedited evaluation process.
C4ISRNet also reports that Space Force officially took control of the sixth and final Advanced Extremely High Frequency (AEHF) satellite in December.The 4th Space Operations Squadron has operational control of the satellite and its integrated into the AEHF constellation, successor to the old MILSTAR system.
Space Force continues to find its place in the Department of Defense and the Intelligence Community.
President Trump has issued a National Space Policy that seeks to lend a degree of permanence to his Administration's approach to space matters.
The creation of Space Force is of course the centerpiece of the outgoing Administration's policy. Some had thought that Space Force would prove ephemeral, a readily dismissed artifact of the outgoing Administration. But that now seems unlikely in the extreme, as both TheHill and the Washington Examiner conclude. Recent organizational developments continue to solidity the new Service's place in both the Department of Defense and the Intelligence Community.
In December Space Force chief General Raymond became the eighth member of the Joint Chiefs of Staff. UPI reports that he joins the Chair, the Vice Chair, the Army Chief of Staff, the Commandant of the Marine Corps, the Chief of Naval operations, the Air Force Chief of Staff, and the Chief of the National Guard Bureau on the JCS. General Raymond characterized the move as follows: "By establishing the U.S. Space Force and having the chief of space operations become a member of the Joint Chiefs of Staff, it demonstrates that our nation recognizes the critical role Space Force plays in national security."
Another move that consolidates Space Force's position is its addition to the Intelligence Community. While details are being worked out, Space Force will become the eighteenth member of the IC, according to Federal News Network.
Space Force: a retrospective on a year of building a Service culture.
As 2020 drew to a close, Space Force took several steps toward shaping its culture. Here are a few of those steps.
Semper supra, Custodes (whatever you've decided to call yourselves, Guardians, we're with you...)
. In the first step toward developing that rank structure, Space Force has decided (and C4ISRNet says the Service carefully considered suggestions from the ranks as well as from interested outsiders) on its equivalent of "Soldier," "Sailor," "Marine," and "Airman."
They'll be "Guardians." On December 18th Space Force explained its choice via Twitter:
"Today, after a yearlong process that produced hundreds of submissions and research involving space professionals and members of the general public, we can finally share with you the name by which we will be known: Guardians. The opportunity to name a force is a momentous responsibility. Guardians is a name with a long history in space operations, tracing back to the original command motto of Air Force Space Command in 1983, 'Guardians of the High Frontier.' The name Guardians connects our proud heritage and culture to the important mission we execute 24/7, protecting the people and interest of the U.S. and its allies."
The reaction of the Twitterverse was predictably mixed, the mixture as usual made worse by constraint to the character-limited zinger, the genre that shapes expression of thought in that medium. (The thoughts we quote above, for example, took the Guardians three whole Tweets to complete. They added a fourth, a zesty "Semper supra!" as a kind of hoo-wah coda to the initial thread.)
The ranks for the Guardians remain to be determined.
The most recent version of the National Defense Authorization Act gave Space Force leave to pick its own rank structure. The bill contents itself with offering some strong encouragement that Space Force consider "all the military services['] historic rank structures," Military.com reports. So, sorry, Mr. Shatner, but Congress won't require Navy ranks
So let's review the roads not taken. We know General Raymond had long ruled out "Spaceman," which sort of struck us as both hasty and peremptory, but that hadn't excluded other good options. We confess we'd been hoping for "Spacewoman," "Spacewoman First Class," and so on (because if "Airman" why not "Airwoman?") with some occupation-based ranks like "Spaceship Rigger Second Class" introduced at the right place. For officer ranks, revive "Cornet," perhaps "Orbital Cornet," and then mix them up from air and naval inspirations: "Sky Commodore" and Robert Heinlein's "Sky Marshall" could be up near the top. General Raymond could become Sky Chief Marshall Raymond. And, following Heinlein again, they could have chosen "Trooper" as the generic name for those in the ranks. Maybe the Ferengi rank DaiMon could find a place, too?
There's also the possibility of reviving ancient or medieval ranks. "Legionnaire" is now clearly out, although we hope it might be picked up by any future Armeé de l'Espace that France might choose to establish, but what could be more historic than Centurion? (Maybe an E-8, Centurions having been as much top kicks as they were company commanders.) Or moving about a millennium closer to nowadays, how about Vintener (leader of twenty longbowmen; say an O-1), Centenar (who pushed a hundred archers, obviously an O-3), or Millenar (a thousand-archer leader, perhaps an O-4 or O-5). All suitably modifiable, of course, with "Space," "Sky," or perhaps "Orbital," although that last might be too limiting for a Service whose domain is after all cislunar and beyond. We admit our preferred rank structure is unlikely in the extreme to be adopted, but if one's reach didn't exceed one's grasp, what would the heavens be for?
Well, "Guardians" it will be, but that's just a baseline, and the specific rank and rating structure remains to be filled out. We can still hope for ratings like "Solar Panel Jack" or "Able Bodied Spacewoman," right, Chief Sky Marshall? Semper supra, we say. And, Space Force? You're welcome.
Uniforms and music.
More culture is coming soon: Military.com reports, inter alia, that the Service will get a distinctive uniform sometime in 2021, and an Air Force band is working on an official Space Force song. (The official song is unlikely to be Kokomo.)
Designs that purport to show concepts for the new uniforms have been circulating through social media. The general look is vaguely 1930-ish, a bit like the uniforms sported by the New Jersey State Police. Task & Purpose reassuringly pooh-poohs the sketches as unofficial, apparently traceable to a nameless Guardian's labor-of-love on Reddit. "The uniform graphic being shared on social media is not an official U.S. Space Force uniform design concept," a Space Force spokesman told Task & Purpose, adding, "The Space Force service dress uniform is still in development."
Challenge coins are low-hanging cultural fruit...
In an unrelated note on emerging Space Force culture, Task & Purpose finds much to dislike about the new Service's challenge coin, which it derides as looking "like tokens you'd spend at Chuck E. Cheese." That seems harsh, but in truth the pictures it publishes of the coin make it look a little sparse and almost derivative, like a casual Roddenberrian knock-off, circa 1968, the sort of thing a visiting Star Fleet Admiral might give a red-shirted ensign just before Ensign Red Shirt beamed down to get the schnitz from the Gorm. Challenge coins, should you be unfamiliar with them, have become an American military custom, handed out on the spot by visiting V.I.P.s like Sky Marshals and Cislunar Millenars in a gesture of approval, appreciation, or inspiration. Our favorite challenge coin was a wooden nickel once handed out by the 3rd Armored Division's combat aviation brigade, which promised redemption in the form of "One tank destroyed or one helicopter ride." Think along those lines, Sky Chief Marshall.
(But Task & Purpose has buried the lede: the real story here is that its readers share Chuck E. Cheese as one of their cultural touchstones. Know your audience.)
...but remember, creating a culture is harder than it looks.
Look: it's easy to have fun at the expense of any new organization, especially a newly fledged military service. Service culture is tough to create, and much inherited culture comes along with the novel. We've of course enjoyed watching Space Force come up with the ranks, structures, insignia, and so on that any Service probably must have, but we'd be sorry if this affectionate observation of the youngest American Service's first steps should be misinterpreted as mockery or disrespect. Neither are intended, and we wish Space Force and all of its Guardians nothing but success, appreciation, and honor in what we hope will be the annus mirabilis of 2021. (And we're sure we're with Mr. Shatner in doing so.) Happy new year, Space Force, and above all, semper supra.
Today's edition of the CyberWire reports events affecting China, Japan, Russia, and the United States.
How Can the U.S. Rebuild After Shocking Series of Cyber Breaches(The Cipher Brief) President-Elect Joe Biden's incoming national security adviser Jake Sullivan told NPR this week that the Defense Department hasn't granted a meeting to the Biden transition team since Dec. 18. That – Sullivan tells NPR – is complicating the ability of the incoming administration of being read-in on the current administration's response to what experts are … Continue reading "How Can the U.S. Rebuild After Shocking Series of Cyber Breaches"
The Russians Have Issued a Wake Up Call(The Cipher Brief) Weeks after a massive cyber breach of U.S. government agencies and private sector companies was publicly announced, there is still not a clear response from the administration on who is responsible and what will be done about it. While the government has yet to officially name the nation-state that is believed to be behind the … Continue reading "The Russians Have Issued a Wake Up Call"
CISA Releases CISA Insights and Creates Webpage on Ongoing APT Cyber Activity(CISA) CISA is tracking a known compromise involving SolarWinds Orion products that are currently being exploited by a malicious actor. An advanced persistent threat (APT) actor is responsible for compromising the SolarWinds Orion software supply chain, as well as widespread abuse of commonly used authentication mechanisms. If left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.
Congress Fears DoD Not Prepared For NC3 Cyber Attacks(Breaking Defense) NC3 is "the last line of communication capabilities and associated equipment that we know will always be there during our worst day," explains Air Force Lt. Gen. James Dawkins, deputy CSAF for strategic deterrence and nuclear integration.
Northrop Grumman Invests in Deepwave Digital's AI(Northrop Grumman Newsroom) Northrop Grumman Corporation (NYSE: NOC) is set to begin collaborating and investing in Deepwave Digital, to support research, development and integration of artificial intelligence (AI) technologies. This...
How Northrop's tech scouting led them to this AI startup(Washington Technology) Like all defense companies, Northrop Grumman is on the hunt for technologies outside of its own industry that could be beneficial to themselves and their customers. Here's how that search led Northrop to invest some equity in a Philadelphia-based AI startup and how others can at least get on the radar.
Northrop Grumman Named Large Company of the Year by SpaceNews(Northrop Grumman Newsroom) Northrop Grumman Corporation (NYSE: NOC) is being recognized for significant contributions to the global space industry in 2020. SpaceNews has honored Northrop Grumman with the Award for Excellence & Innovation as the Large...
Raytheon Technologies secures $611.5M contract for CCSS from Air Force (NYSE:RTX)(SeekingAlpha) Raytheon Technologies (NYSE:RTX) has been awarded a ceiling of $611.5M, firm-fixed-price, cost-plus-fixed-fee, cost-reimbursable-no-fee, IDIQ contract for command and control switching systems ('CCSS').This contract provides electronic digital telecommunications system developed for military command and control. The CCSS is the key component of the Defense Red Switch Network, enabling secure and non-secure voice and data telecommunications at multiple levels, large scale voice conferencing capabilities and is inter-operable with other secure devices.Work to be performed at multiple government facilities and is expected to be completed by December 31, 2032.Shares +0.23% AH.
Mercury Systems Receives $14M Order for Digital Signal Processing Modules(GlobeNewswire) Mercury Systems Inc. (NASDAQ: MRCY, www.mrcy.com), a leader in trusted, secure mission-critical technologies for aerospace and defense, announced it received a $14 million order from a leading defense prime contractor for digital signal processing modules for deployment in a multi-mode tactical radar application.
Ligado investors should be scared of its future(Defense News) By now it shouldn't be any surprise that I oppose the decision by the Federal Communications Commission to approve Ligado Networks' application to repurpose low-band spectrum for a terrestrial commercial network that will interfere with GPS and satellite communications signals.
SpaceX launches new cargo Dragon to Space Station for 100th successful Falcon 9 flight(Yahoo) SpaceX launched its 21st Commercial Resupply Services (CRS) mission for NASA to the International Space Station on Sunday, using a brand new variant of its Dragon capsule spacecraft. This new cargo Dragon has greater carrying capacity and can dock fully autonomously with the Space Station, both improvements over the last iteration. This is the first launch for this redesigned cargo Dragon, and also the first mission for SpaceX's new series of CRS missions under a renewed contract with NASA.
The SolarWinds Breach: What We Know Now and What Businesses Can Do to Protect Themselves(LexBlog) Earlier this month, we learned that the SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1*, released between March 2020 and June 2020, were compromised by an advanced persistent threat actor (or APT). The perpetrators of this sophisticated attack implanted a Trojan into a legitimate update to the Orion Platform that was [… ]
Data Security Business Advisory(Department of Homeland Security) This Advisory describes the data-related risks American businesses face as a result of the actions of the People's Republic of China (PRC) and outlines steps that businesses can take to mitigate these risks. Businesses expose themselves and their customers to heightened risk when they share sensitive data with firms located in the PRC, or use equipment and software developed by firms with an ownership nexus in the PRC, as well as with firms that have PRC citizens in key leadership and security-focused roles (together, "PRC firms"). Due to PRC legal regimes and known PRC data collection practices, this is particularly true for data service providers and data infrastructure.
Lockheed Martin's SBIRS GEO-5 Satellite Readies for Launch in 2021(Via Satellite) Lockheed Martin revealed Wednesday that the fifth Space Based Infrared System Geosynchronous Earth Orbit (SBIRS GEO-5) satellite is complete and ready for launch in 2021, as determined by the U.S. Space Force. SBIRS GEO-5 is the first military space satellite built on Lockheed Martin's LM 2100 combat bus. The SBIRS
NGA launches new tech accelerator in St. Louis(C4ISRNET) The accelerator program adds to the National Geospatial-Intelligence Agency's investment in the St. Louis area, where the agency is building a new state-of-the-art facility to house NGA West.
AFOSR awards 17 quantum research grants(Intelligence Community News) The Air Force Research Laboratory's Air Force Office of Scientific Research (AFOSR) recently awarded 17 quantum information science grants.
US Air Force tests artificial intelligence on board a U-2 aircraft(Air & Cosmos) The US Air Force experimented with artificial intelligence on board a Lockheed U-2 in a simulated mission. Pilot and artificial intelligence shared the tasks, with the pilot doing the flying. The equipment was designed to be easily transferable to another aircraft, thus representing the very beginning of the flight tests.
For NASA, It Should Be Mars or Bust(Wall Street Journal) After decades of nostalgia for the Apollo program, it's time for NASA to send astronauts on a radical new adventure, worthy of America's pioneering spirit
EXCLUSIVE: Space Is At Heart Of JADC2, Says Maj. Gen. Crider(Breaking Defense) "As a new service, we have an opportunity here to really establish ourselves in a new way -- leveraging digital technologies, and leveraging digital processes and practices in a new way," says Maj. Gen. Kim Crider, Space Force acting chief technology innovation officer.
Air Force Woos Congress On Space Acquisition Reform(Breaking Defense) "Given where we are at this point in the administration, it's unlikely that we would see a nominee" for an independent Space Force acquisition head, said Shawn Barnes, Air Force deputy assistant secretary for space acquisition.
Space Force expected to live on past Trump era(TheHill) President-elect Joe Biden has pledged to reverse or review many of President Trump's changes at the Pentagon, but one of Trump's signature achievements is expected to live on: the Space Force.