Cybersecurity and Deterrence

How Should the U.S. Respond to the SolarWinds and Microsoft Exchange Hacks? 

By Dmitri Alperovitch, Ian Ward
Friday, March 12, 2021, 10:59 AM

Over the past two months, news has broken that Russia and China, the United States’s two primary geopolitical adversaries, have both executed major cyber operations against the networks of American companies and government agencies. On their faces, the two attacks share much in common. At least at this early stage, both appear to have been espionage operations designed to give foreign intelligence agencies access to sensitive targets and to steal emails, documents and other data that would be of value to the Russian and Chinese governments. Both attacks were far reaching, affecting tens of thousands of American networks and testing the limits of U.S cyber defense capabilities and the country’s broader cybersecurity strategy.

Though the strategic goals of the two operations might be similar, the execution of these two attacks could not be more different—and when it comes to the United States’s response, these differences matter. In terms of its execution, the Russian campaign, known as the SolarWinds attack or Holiday Bear operation, was highly targeted and even quite responsible. But the Chinese campaign, which breached Microsoft Exchange servers, was unfocused and dangerous—and the U.S. should respond accordingly.

The Russian attack leveraged newly introduced backdoors and stolen keys in several supply chain companies—including SolarWinds, Mimecast and a yet-unnamed reseller of Microsoft services, among other possible companies. Using these tools, an adversary believed to be connected to the SVR, Russia’s primary foreign intelligence agency, gained access to the networks of thousands of American companies and organizations, including many Fortune 500 companies. 

Critically, however, Russia opted not to exploit the vast majority of the networks it gained access to, or even to maintain ongoing access to them for future operations. Instead, the attackers voluntarily sent a kill switch to 99 percent of their potential victims, permanently disabling Russia’s access. It is, of course, unlikely that they did this out of the goodness of their hearts. Instead, it is probable that Russia calculated that obviating access to all but a handful of high-value targets would allow it to maintain the long-term stealth of its operation—the fewer networks you are exploiting, the better the chance that you will remain undetected in those networks for long periods of time. By some estimates, Russia maintained access to its chosen networks for close to nine months—so it seems that this gamble paid off. 

Regardless of the SVR’s ultimate motive, the United States should recognize that the SolarWinds/Holiday Bear operation was executed in an unusually surgical manner that seems to have been designed to minimize collateral damage. This recognition, in turn, should shape the American response. As one of us (Alperovitch) noted in his testimony before the House Committee on Homeland Security in February, the U.S. should be extremely careful to calibrate its response to the severity and scope of the operation. Russia has taken plenty of highly objectionable actions over the years that constitute serious violations of international norms, in both the cyber and physical realms. These activities include the destructive NotPetya attacks against Ukraine in 2017, which spread broadly across the globe and caused billions of dollars in damage, as well as the attacks on the opening ceremony at the Pyeongchang Olympics in 2018, and interference in U.S. elections—not to mention Russia’s use of chemical weapons in clear violation of the Chemical Weapons Convention. 

But the SolarWinds/Holiday Bear operation is simply not one of those actions. Of course, the United States should not be thrilled that Russia successfully carried out a devastating espionage campaign against the U.S. government, or that one of America’s primary adversaries can hoard supply chain vulnerabilities and backdoors for future campaigns. But the U.S. should also appreciate that these types of operations are exactly the sort that the U.S. government would be extremely proud of, if executed by its own intelligence agencies. In fact, U.S. intelligence agencies have conducted functionally identical campaigns in the past. As the Washington Post reported in 2020, the CIA, in cooperation with West German intelligence, purchased in 1970 the Swiss company Crypto AG, which manufactured cryptographic equipment for foreign militaries and diplomatic customers around the globe. For the next 30-plus years, the National Security Agency worked closely with the company’s executives to weaken the cryptography via backdoors embedded into their machines, giving the U.S. intelligence community a direct line into foreign governments’ encrypted communications. In this respect, the Crypto AG operations, widely considered one of the most successful intelligence coups in history, is not essentially different from the recent SolarWinds/Holiday Bear breach.  

That said, these comparisons do not suggest that the United States should do nothing in response to the recent attack. A course of inaction would be neither strategically savvy nor consistent with the precedent the U.S. has set when it comes to espionage operations in the physical world. When the U.S. government discovers an espionage campaign in the United States, it doesn’t pat the spies on the back and say “good job”; it arrests and prosecutes them—and then frequently exchanges them for the U.S.’s own spies who are being held overseas. Depending on the severity and scope of an espionage campaign, it may also issue demarches, expel foreign intelligence officers, or even close down diplomatic facilities—as the Trump administration did to China’s consulate in Houston, Texas, in July 2020. 

All of those responses should be on the table as the Biden administration designs an appropriate response to the SolarWinds/Holiday Bear espionage campaigns. But to reach beyond these established responses would not only be hypocritical—it could in fact be counterproductive. As strange as it may seem, the SolarWinds/Holiday Bear campaign is the sort of cyberespionage campaign that the U.S. should be willing to acknowledge as acceptable under existing international norms: limited in scope, carefully executed, and not designed to destroy, manipulate, or otherwise disrupt data. If the U.S. responds too forcefully to this campaign, it risks removing any incentive for adversaries to adopt such a measured approach in the future.

In fact, the recent Microsoft Exchange hack carried out by a group of Chinese hackers shows precisely why the U.S. should be working to avoid that outcome. Unlike the SolarWinds/Holiday Bear operation, the Microsoft Exchange hack was neither targeted nor carefully executed. Although the operation likely began as a limited espionage campaign designed to use zero-day, or previously unknown, vulnerabilities in Microsoft Exchange’s email servers to gain access to sensitive networks, it escalated rapidly in late February when China learned that Microsoft was planning to issue a software patch at the beginning of March. The patch would have fixed the four vulnerabilities that the adversary was using to gain access to the networks, thereby denying them access to potential future targets. In anticipation of the patch, China decided to take the truly unprecedented step of automatically scanning practically the entire internet for vulnerable Exchange servers and then compromising every single one of those servers before they could be patched. Like a cat burglar who heard the police sirens wailing in the distance, China simply grabbed everything in sight, opting to decide later what, if anything, might be of value.

This “pillage everything” model, as the cybersecurity expert Nicholas Weaver has called it, represents an exceptionally reckless and dangerous tactic that has weakened the security of tens of thousands of networks around the globe. To gain ongoing access to vulnerable networks, China deployed so-called “web shell” scripts, which serve as easily accessible backdoors into a network. Web shells often are not protected with the strong password necessary for the adversary to control who takes advantage of them, such that any subsequent actor who comes along can sometimes use the same web shell to gain easy access to a network. Moreover, software patches, such as the one that Microsoft released this month for Exchange, do not remove web shells from the system—meaning that the network remains in a compromised state until individual defenders find the scripts within their systems and take active steps to remove them. As a result, China has effectively left the door wide open for any number of other threat actors looking to do damage on vulnerable networks—including criminal ransomware gangs whose sole objective is to hold networks hostage in exchange for exorbitant sums of money. 

Unfortunately, this is not an abstract threat. In the coming days and weeks, the United States will likely witness a massive surge of ransomware attacks aimed at vulnerable servers, many of which belong to small- and medium-sized organizations that stand to be crippled by destructive ransomware attacks.

The comparison between the Russian and Chinese operations is stark. If the SolarWinds/Holiday Bear campaign was a minimally invasive arthroscopic incision into vulnerable networks, the Microsoft Exchange hack was a full-limb amputation: untargeted, reckless and extremely dangerous. 

The U.S. response should reflect this critical disparity. First and foremost, the United States should account for the fact that the wound from the Microsoft Exchange hacks is still bleeding. Before taking any additional action, the U.S. should privately demand that the responsible parties remove all remaining web shells from all networks around the globe. If China refuses to do so, and any destructive attacks take place that use these web shells, the U.S. should hold China directly responsible for the damage. Even if China does agree to remove the web shells, the U.S. should consider retaliatory measures beyond those suited to a typical espionage campaign—a response merited due to the stark violation of traditional norms that this attack represents. U.S. messaging should be strategically ambiguous about the precise form that this retaliation might take, but the goal should be to inflict costs in a way that China will care the most about. This would require looking beyond cyber responses to considering economic actions, such as placing additional Chinese companies on the Commerce Department’s entities list.

The impulse to respond uniformly to all cyberattacks is a powerful one, but the reality is that, from both a normative and a strategic point of view, not all hacks are the same. Admittedly, delineating international norms in cyberspace is a difficult and ambiguous exercise, but if there is a clear lesson from these two recent attacks, it is that the U.S. government must try to do so. Multilateral commissions tasked with determining international cyber norms, like the United Nations Group of Governmental Experts (GGE) and the Open-ended Working Group (OEWG), serve an important purpose. But ultimately, the way to create lasting and effective norms in cyberspace is to enforce red lines when they are crossed. By responding forcefully to the Microsoft Exchange attack, the U.S. would not only be standing up for the security of its networks and the well-being of its citizens; it would also be taking a critical first step toward realizing a set of international norms that could make cyberspace safer for everyone.