(Telemetry & toolchains) vs. tradecraft: The SolarWinds hack from a strategic lens3 minutes read

To me, the SolarWinds hack is remarkable because it (momentarily) managed to upend one kind of strategy with the other. A broader strategic calculus is palpable from the operational choices made in this intrusion — from the Concept of Operations which underpins it.

At the heart of it, the US and Russian strategic models for cyber operations could be neatly delineated around toolchains and tradecraft, respectively.

The former invested heavily in structural frameworks planned and built over years — like Quantum, passive access and traffic shaping — which paved the way for surgical, pinpointed operations with robust operations security.

Halvar Flake premised it on the fact that such an approach exponentially increases the compromise boundary: “Hack almost any node in the graph, and you get to attack other nodes by transitive trust.”

Russia, however, simply could not afford such an enviable vantage point. And so, its tactically-driven model relied on blending in with the supply chain, using camouflaging techniques, living off the land and establishing covert channels. The SolarWinds operation neatly ticks all the boxes.

But deception and other cognitive aspects, too, played a role — something which Russia intrinsically knows how to exploit. The distraction caused by the presidential elections and the pandemic, the heightened mainstream obsession with the SVR’s unruly cousin GRU, and the marginal exposure of US counterintelligence capabilities (with political efforts like the DoJ indictments) possibly added fuel to the fire.

It was also an ambitious effort by the SVR to corrupt the second tier of American capability upon which its at-scale defense is premised: telemetry. The NSA used the same access-based frameworks — like Turbulence (Turmoil, QFire and QuantumTheory) and DefiantWarrior — for Active Defense. I am not saying that this is the only tier of American defense, but surely is the pillar.

In what may signify how the fulcrum of cyber power shifts with the ongoing disintermediation, it’s Microsoft which actually leads the US incident response efforts in the SolarWinds case. It’s the “sheepdog” herding the federal agencies (in Brad Smith’s own words) — a non-state actor harbouring the most potent telemetry-economy-of-scale. But I am not surprised by it.

Lastly, I am reminded of Mudge’s prophetic tweet forewarning how the decomposition of operations into quanta of capability, used by MITRE ATT&CK, may fail to flag events which are deemed dependent for the adversary but may look independent to the defender.

I would write another post on how it upset the US doctrinal framework.