News & Stories

Examining the SolarWinds/Holiday Bear Hack

Posted Apr 04 2021
Panelists speak on Zoom
Peter Clement, JD Work, Jason Healey, and Kimberly Marten spoke at the SIWPS panel on March 19.

 In December 2020, revelations of a cyber intrusion against the IT management company SolarWinds ignited fierce debate around norms and espionage. The hack, which may have exposed the networks of more than 18,000 corporations and government agencies, inserted malware into an update of Orion, the company's software platform that monitors network traffic.

A January 5 joint statement by the FBI, NSA, Office of the Director of National Intelligence, and the Cybersecurity and Infrastructure Security Agency implied an “advanced persistent threat” that was likely Russian in origin. In particular, there is substantial evidence that points to Russia’s political foreign intelligence agency, SVR.

On March 19, SIPA’s Saltzman Institute of War and Peace Studies convened an expert panel to discuss the SolarWinds hack, also called Holiday Bear, and the implications for the future of cyberespionage and conflict. Senior research scholar and CIA veteran Peter Clement kicked off the conversation by highlighting the Russian angle of the SolarWinds hack and provided detailed insights into Russian cyber espionage and politics.

“Why did the SVR and not Russia’s military intelligence agency, the GRU, carry out this campaign?” asked Clement. (It was the GRU, for example, that interfered in the 2016 U.S. election.) Clement then asked who could afford such an effort, speculating that it might have been another privately funded endeavor similar to that of the Internet Research Agency, which engaged in international disinformation campaigns.

JD Work, a Saltzman Institute research scholar who is also the Bren Chair for Cyber Conflict and Security at Marine Corps University, addressed the broader environment in which the SolarWinds hack occurred, discussing adversaries’ continued ability to retool and adapt to the changing environment.

“We must remember that this is not the first Russian operation compromising supply chains,” Work said. “The adversary has been previously successful installing malware into software update mechanisms.”

To confront the problem, he added, industry and government must engage in operational collaboration and track these threat actors across cyberspace.

Jason Healey, a senior research scholar at SIPA, said any analysis must consider cyber conflict and dynamics. “Defense is possible against a sophisticated attack, but only for very elite organizations,” he said.

Healey also recommended that SolarWinds and the recent Microsoft Exchange hacks be called Nemesis, after the Greek god, because “these cyberattacks struck down those full of hubris.”

The U.S. government’s cyber strategy of persistent engagement has been wholly implemented and had just protected an election that relied more on cyber infrastructure than any other in history due to the pandemic. Yet, we now see there is still much work to be done.

The panel’s moderator, Professor Kimberly Marten of Barnard College, asked if deterrence was a motive for Russia, while Clement asked if we were seeing “a spiral model of escalation to illustrate capabilities and strength by both sides.”

Work and Healey agreed that cyber campaigns have not yet escalated out of cyberspace and there is a plethora of evidence that deterrence, as we know it in armed conflict, has not applied in cyberspace. The SolarWinds/Holiday Bear hack was an intelligence operation, but the difficulty with cyber espionage is it also has the potential to become sabotage.

Related: “The Escalation Inversion and Other Oddities of Situational Cyber Stability,” by Jason Healey and Robert Jervis, considers questions around escalation and stability in cyberspace can be found here.

— Nate Low MPA ‘22