From hacked to disinformed: SolarWinds — a cyber performance.

8 min readDec 23, 2020

Note: See a mistake or inaccuracy? Let me know!

I think there are a few reasons why people are uncomfortable discussing, reading about or addressing matters of cyber, data breaches, mis/disinformation, information wars, etc.:

The topics are developing at an extremely fast pace, making them difficult to follow
The topics have become oversaturated in our day-to-day media and information intake
The topics come off as other-worldly with their technical terms and IT industry jargon

In short, the topics are seen as too complicated. And what’s too complicated often becomes inaccessible. Inaccessibility prevents mass education. Lack of education leads to ignorance. Ignorance, of course, leads to fear.

Below, I take the most top-of-mind cyberattack taking over headlines today — the SolarWinds hack carried out by Cozy Bear (APT29). In my attempt to learn more about it, I hope to break the issue down in terms that are digestible and more accessible. I present SolarWinds — a cyber performance.

The Cast (aka definitions):

SolarWinds Inc.: an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
Orion Platform (app): a bandwidth performance management and fault management application that allows users to view the real-time statistics of their network directly from a web browser.
FireEye: a cybersecurity company that has proven to be the go-to for various governments and corporations.
APT29 (Cozy Bear): state-sponsored hackers affiliated with the Kremlin’s intelligence services in Russia. Also sometimes referred to as Office Monkeys, CozyCar, The Dukes and CozyDuke.
Command and control server (C&C or C2): a computer that is controlled by the attacker (cybercriminal) and is used to send commands to malware-compromised systems and receive stolen data from those targets.
Dynamic-link library (DLL): a library that contains code and data that can be used by more than one program at the same time.
Supply chain attack: a cyber-attack that targets less-secure elements in an organization’s network supply chain with the intention to damage.
Digitally signed: executables and scripts that confirm a code has not been altered or corrupted since it was signed.
Backdoor: most often used for securing remote access to a computer, allowing to bypass regular authentication and/or encryption.
Sinkhole: a server capturing malicious traffic and preventing attackers from seizing control of infected computers.
Killswitch: a safety mechanism used to power off in an emergency when a regular shutdown is not possible.

Dress rehearsal (aka how it started)

In October 2019, state-backed hackers staged a rehearsal attack against SolarWinds. The test sent files through digitally signed updates to the Orion app for the sole purpose of seeing if they would get delivered undetected. The files held no backdoors or malicious code. The dry-run went through successfully and today… we find ourselves grappling with the largest supply chain attack in cyber history.

Show premier (aka how it happened)

Seeing as the test run was a success, the attackers went on to perform the actual malware (now known as SUNBURST or Solorigate) injection into the SolarWinds Orion app. The app updates were released between March and June 2020, already containing 4,000 lines of harmful code. Ultimately those led to the “SUNBURST Backdoor”. The trojan horse-like update spread quickly through the networks (i.e. organizations relying on the Orion app to monitor and keep inventories of internal IT systems), planting the undiscovered SUNBURST malware (compromised DLL) deep inside internal networks, unknowingly creating a backdoor for the attackers to use. As with the test run, these actions were digitally signed, indicating the attackers had insight and access to SolarWinds’ software development.

In their investigation, Microsoft confirmed the attack’s high sophistication as the code left little to no trace behind (lightweight code) and ran in a parallel thread, avoiding disruption of the core functions of the Orion app DLL. While gathering data and information from the penetrated network, and before contacting command and control (C&C/C2) servers, the malware also regularly checked to make sure it was running undiscovered. Once data was collected, the malware waited 12–14 days before sending the findings back to a remote C2 server.

To do so, it used what seemed like a unique sub-domain for each affected network — think entity-relationship models but with separate coloured threads leading from various outside points back to a central hub. This transportation path (URL) was built in four parts — part 1 was dynamically generated based on data from the machine, part 2 was a SUNBURST constant, part three indicated the global location from which data was pulled (EU West, US East, etc), and part 4 was also a constant, one that we now know had played a central role in the hack (avsvmcloud[.]com).

Upon “arrival” in the C2 server, the data was then analyzed by the culprit. The information then helped decide which of the penetrated organizations should be escalated for the purposes of intelligence gathering goals.

According to FireEye, of the 18,000 networks infected (including Cisco, Intel, Nvidia, Rakuten, Deloitte), only approximately 50 targets recorded evidence of an escalation from the attackers. Another 40 were noted by Microsoft in a separate report. These exclusive escalation tactics confirm the hackers aimed at infiltrating high-profile targets such as US cybersecurity firm FireEye, The Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), the US Department of State and more.

It’s important to understand the difference between an infection and escalation. An infection requires removal only (think more simple virus disrupting computer functions) while an escalation requires log reviews and analysis to understand what data was stolen and/or compromised. It’s also important to remember that it takes time (from months to years) to learn and understand the full impact of a hack and its consequences. It also takes time to confirm if the hackers have fully exited the systems, especially after they’ve remained undiscovered and active for long periods of time.

FireEye discovered the SolarWinds hack when investigating its own breach of systems which resulted in a number of their Red Team Tools being stolen — tools and software that are meant to mimic and recreate assaults on various networks to find and strengthen computer network vulnerabilities. It’s too soon to tell if these tools or variations of them will be used to access victim networks as evidence of this often shows up months, if not years later.

Performance reviews (aka what it means)

This very patient and careful form of a hacker’s marathon rather than a sprint is believed to have been carried out by a Russian state-sponsored group known as CozyBear (APT29). The scale and the reach of the affected organizations have led the U.S. government to treat the situation as a national security emergency. For context, this is the same group that was responsible for the hack of the Democratic National Committee’s servers during the 2016 presidential campaign (Clinton emails!!). More recently, they were accused of trying to steal COVID-19 vaccine research from Canada, U.K. and U.S. They are also reportedly responsible for stealing the Red Team Tools mentioned earlier. The list goes on.

With the first Cozy Bear hack on the U.S. government taking place in 2014, then being classified as “the worst hack ever” (when in reality it accessed the unclassified email system only), it’s clear that with each attack the mastery of the hack evolves. Meanwhile, the agenda remains the same — take information and use it. Whether it’s using it for Russia’s intelligence-gathering purposes, or for international disruption.

As of today, the SUNBURST malware has been sinkholed thanks to the work of Microsoft, FireEye and a coalition of other tech companies. In other words, the key infectious domain (remember avsvmcloud[.]com?) has been identified and turned into a killswitch which now prevents the hackers from escalating further infections through the Orion app. But, as noted in an official statement by FireEye, “This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.”

So, why the writeup?

I am not an IT wiz, nor do I ever plan to be the next great hacker. What I am is someone who has grown up in an environment and culture that has seen and is living the long-term consequences of successful information theft and repurposing disinformation positioning in day-to-day conversations (for reference, Google “Ukraine” AND “Russia” AND “disinformation”).

I am someone who strongly believes that when inaccessible topics become accessible and relevant to every citizen, they stop being fear-inducing and turn into action-motivating. As outlined in my previous post We the people — we the conspiracy disinformation campaign, we ourselves are now the sources of that false information. We do the heavy lifting, helping the original adversaries.

I also work in communications, so it makes sense that my passion is to…communicate about what I think is important.

My two cents:

Double extortion hacks threaten to expose data if financial demands are not met. They have a clear beginning and end. But, what happens when information is taken for the purposes of espionage, wreaking havoc and/or other forms of disturbance? What is the connection between network hacks and mis/disinformation spreading? In those cases, no amount of money will save the victim organizations. Meanwhile, long-term consequences change the organization’s operations which then impact the rest of the world.

Many journalists today are doing an incredible job at breaking down the tech/IT talk while bringing the public’s attention to relevant issues. Unfortunately, no matter how much they try to simplify a language that was never meant to be simple, it never fits into bite-sized headlines or a Tweet-length update — the things that largely lead our information consumption habits today.

I understand we have few options in what we could do — get better at protecting our networks and learn how to detect the post-attack disturbances faster. With that, I remain baffled at the carefulness of the global response to the attacks led by the Kremlin. By now we know the likes of APT29 have a history of carrying out year-long espionage missions. And as we have yet to see public repercussions for their actions, they often continue with their tasks even after being discovered.

I look to global leaders to move past the diplomatic “we condone” and use their resources to address cyber issues head-on. I look to global firms and brands to use their influence and address disinformation in a language that is relatable. I look to gap-bridging consultants to use their expertise in convincing clients that preventing false information spread can be their mission (I applaud you Alethea Group). I look to day-to-day citizens to remain vigilant about the information we consume.

This attack was complex and highly sophisticated, meaning the effects of it will be felt for years to come, whether that’s in the form of data manipulation, new information war tactics, or other.