8 min readNov 14, 2022

French Fries, Pelmeni, and Peking Duck

Cyberwar

Research Question: Compare and contrast the SolarWinds and HAFNIUM attacks, what was similar about them, what was different, which one was worse and why?

Contents

Introduction: 2

The Peking Duck.. 2

Hafnium — Microsoft — Beijing.. 3

Pelmeni. 3

Solarwinds — Orion — Moscow… 4

American Style of Cyberattacks. 4

French Fries. 4

Background:

The 21st century has revealed that even the largest technical institutes can fall victim to state-sponsored advanced persistence threats (ATPs). The companies Solarwinds and Microsoft are the Western casualties on the ever-evolving duel between the legacies of communist juntas and Western democracies. Information supply chains of Microsoft and Solarwinds were recognized by Russia and China as a target-rich environment. Russia and China were both successful in their acts of cyber espionage against Solarwinds and Microsoft because they developed unique cyber tools that transformed one breach into multiple breaches while avoiding immediate detection.

The Peking Duck

The act of espionage for economic or information is not new. Neither is the encouragement of the state to encourage foreign and domestic actors to commit theft. America, in its infancy, was given a similar task by Hamilton (Wiseman). China is now behaving similarly as the U.K and Washington, did during their Thucydides trap, post-revolutionary war. The Chinese have been able to employ cyber attacks as an espionage tool and a way to enhance their rising power in domestic economic innovation (Jinghua). What differs from the espionage of the past century, is that commercial and industry hacking may be being used by Beijing as a coercive measure against Washington for actions taken against Beijing in trade and diplomacy

Chinese hacking targets industries that the central and decentral governance of China believes are important for their future in technological innovation. These industries include aerospace, semiconductors, and information technology (Welsh). That this form of espionage is done by direct state and party members. For example, the Justice Department charged five CCP party officials for stealing nuclear power, metals and solar products industries (Welsh). The Chinese National Defence plan in 2004, identified that “informationalism” would become an achievable warfighting asset and the Hafnium attack is a living example of that change (A new old threat: Countering the return of Chinese industrial cyber espionage).

Hafnium — Microsoft — Beijing

Hafnium group created an automated cyberattack that queried unpatched Exchange Servers. It was then able to gain access through Outlook Web Access (OWA) (Deuby). The Hafnium attack planted a “web shell” which enabled web-based backdoor access to Exchange servers breached (Deuby). Hafnium group was able to steal data and gain access to critical systems. The reported amount is 30,000 servers in the United States that have been breached and hundreds of thousands globally. Affected networks included more small and medium enterprises (SMEs) than larger enterprises (Deuby). Hackers are now able to regain access to the networks until the web shell is removed (Greenberg).

Hafnium Technical Timeline

Malicious login request

Server-Side Request Forgery (SSRF) attack

Exchange server provides Admin Security privileges

The attacker sends malformed serialized data

Malware runs remote code execution

Establishes reverse shell

User login’s queried

Zipped info is sent to the attacker

(Leichter)

Pelmeni

Russia began cyber espionage against the United States in 1996 with the Moonlight Maze attack (Westby). Their goal, is their goal now, to compromise American national security and US interests (Westby). Russia also has a disproportionate amount of the world’s cybercriminal population (Russian cyberattack campaigns and actors). However, criminal’s goals of cyber theft and fraud against American interests are largely ignored by Russian authorities. Russia is then able to contribute to global misinformation campaigns against America organically and centrally(Russian cyberattack campaigns and actors). Russia has used offensive cyberattacks as a tool for leverage and warfare. Russians have disabled Estonian, Kyrgyzstan, and Ukrainian servers due to symbolistic political disputes like banning Soviet emblems and as a form of coercion to get Kyrgystan to remove U.S troops (Windrem). Moscow also used it as a tool in conventional warfare, against the Georgians during their war in 2008 (Windrem). Solarwinds is another example of Russia leveraging state and non-state actors to disrupt American espionage hegemony.

Solarwinds — Orion — Moscow

The Cozy Bear group infiltrated the infrastructure of SolarWinds to distribute a trojanized update on their application monitoring platform called “Orion.” The hackers inserted a malicious code called Sunburst into the Orion application, which was then transmitted to users during an Orion software update (Saheed Oladimeji). Sunburst allowed hackers to gain further access into SolarWind’s customer base by installing additional malware (Saheed Oladimeji). The attackers were able to go from the United States and mimic legitimate network traffic allowing the attackers to mitigate threat detection already employed by SolarWind and customer’s cyberspace (Saheed Oladimeji). The attack gained access to 30,000 public and private organizations that use the Orion Network Management system (Lahav). The United States has accused Russia of the SolarWinds attack (Corera).

Solarwinds Technical Timeline

Probe — Modification of installer package

Malicious DLL file attached to installer

Digital Signature of Solarwinds confirmed on update

Malicious DLL starts running probing and script running “Powershell”

Malware runs killcodes to prevent detection and impersonating resgirstries

C2 — lays dorminate and communicates with command and control servers

Malware uses Powershell scripts to gain access to additional networks

Sends information using Powershell email commands

(Slowik) (Lahav)

French Fries

The Hafnium attack was identified early by investigators, victims have had a chance to update their systems and remove the back door (Krebs). In December of 2020, AI was used to investigate the Hafnium attack. This AI is called Darktrace AI which uses self-learning artificial intelligence to respond to threats at machine speed (Heinemeyer). Hafnium attack may have been patched out by Microsoft, but its variants that would be undetected required users to download “Microsoft Safety Scanner” to pick up infected files (Abrams). The Microsoft Safety Scanner will run a full scan against an organization’s exchange server (Abrams). Microsoft also recommended users to see if there is a scheduled task in their system for “VSPerfMon” which opens up future backdoors (Deuby et al.). The FBI began a court-approved operation to respond to Hafnium by hacking into federal agencies and removing the malware (Hern). It effectively removed Hafnium software but did not remove the existing vulnerability (Hern).

Cozybear was successful at thwarting American data centres by taking advantage of American laws (Slowik). The NSA doesn’t have the authority to scan for computers in the US. Solarwinds used US-based servers at GoDaddy, AWS, and smaller parties (Slowik). FireEye reported that the Solarwinds attack was resolved by a coalition between Microsoft and SolarWinds (Schwab). Technical teams in the NSA and Homeland security also worked with the companies. The attackers used a digital fingerprint that FireEye published and the Microsoft Defender Antivirus program included this signature in their programming (Schwab). The attack had a kill switch under specific conditions. Security teams were able to trigger this killswitch and stunt the operation (Schwab). Hafnium and Solarwinds both used remote execution code to bypass existing cyber defences (Leichter). Both hacks persisted on networks for a long time after being compromised, and each attacked a large scale of different networks (Leichter).

Conclusion

While the Hafnium and Solarwinds attack makes it appear that America is the victim of state-sponsored attacks. The reality is, is that America is one of the biggest attackers of Chinese and Russian networks. China and Russia are facing American-backed espionage and cyberattacks in high frequency to both their economic and state interests. NSA has alleged to have attacked Huawei, Russian energy grids, and Petrobras (Sanger and Perlroth). Edward Snowden’s revelations revealed that America has committed global espionage, and spying against even its allies (Welsh). The world has learned to divest state resources and engage in a new form of espionage in the grey zone. French Fries, Pelmeni, and Peking Duck engage in a tic for tac cyber espionage. While the nations and their strategies may differ, cyberattacks like Hafnium and Sunburst are the talked about covert actions taken in the Anthropocene (A moment of reckoning: the need for a strong and global cybersecurity response).

Work Cited

1. 29, Doral Curtis March, Alicia Togba March 29, Betty Lynch March 29, Darren Chaker March 30, J.A. April 1, Alicia Perez April 5, Lannyce April 5, and Karolyn Armstrong April 5. “At Least 30,000 U.S. ORGANIZATIONS Newly Hacked Via Holes in Microsoft’s Email Software.” Krebs on Security. 05 Mar. 2021. Web. 10 Sept. 2021.

2. Abrams, Lawrence. “Microsoft’s Msert Tool Now Finds Web Shells from Exchange Server Attacks.” BleepingComputer. BleepingComputer, 08 Mar. 2021. Web. 10 Sept. 2021.

3. Corera, Gordon. “US and UK Agencies Accuse Russia of Political Cyber-campaign.” BBC News. BBC, 01 July 2021. Web. 10 Sept. 2021.

5. Deuby, Sean. “Timeline of a Hafnium Attack.” Audio blog post. Security Boulevard. 5 May 2021. Web. 06 Sept. 2021.

6. Greenberg, Andy. “Chinese Hacking SPREE Hit AN ‘ASTRONOMICAL’ Number of Victims.” Wired. Conde Nast, 05 Mar. 2021. Web. 07 Sept. 2021.

7. Heinemeyer, Max. “Hafnium Cyber-attack Neutralized by AI in December 2020.” Darktrace. Web. 10 Sept. 2021.

8. Hern, Alex. “What Is the HAFNIUM Microsoft Hack and Why Has the Uk Linked It to China?” The Guardian. Guardian News and Media, 19 July 2021. Web. 07 Sept. 2021.

9. IronNet Threat Analysis and Research Teams. “Russian Cyber Attack Campaigns and Actors.” Blog post. Https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors. Ironnet, 28 May 2021. Web. 07 Sept. 2021.

10. Jinghua, Lyu. “What Are China’s Cyber Capabilities and Intentions?” Carnegie Endowment for International Peace. 1 Apr. 2019. Web. 07 Sept. 2021.

12. Leichter, William. “Hafnium & EXCHANGE: Elements of the Attack.” Virsec. Web. 09 Sept. 2021.

13. “A Moment of Reckoning: The Need for a Strong and Global Cybersecurity Response.” Blog post. Microsoft. Microsoft, 17 Dec. 2020. Web. 09 Sept. 2021.

14. “A New Old Threat: Countering the Return of Chinese Industrial Cyber Espionage.” Council on Foreign Relations. Council on Foreign Relations. Web. 07 Sept. 2021.

15. Panettieri, Joe. “Microsoft Exchange CYBERATTACK: U.S. Blames China for Hafnium Email Hack.” MSSP Alert. 20 July 2021. Web. 09 Sept. 2021.

16. Saheed Oladimeji, Sean Michael Kerner. “SolarWinds Hack EXPLAINED: Everything You Need to Know.” WhatIs.com. TechTarget, 16 June 2021. Web. 07 Sept. 2021.

17. Sanger, David E., and Nicole Perlroth. “U.S. Escalates Online Attacks on Russia’s Power Grid.” The New York Times. The New York Times, 15 June 2019. Web. 10 Sept. 2021.

18. Schwab, Katharine. “What It Was like inside Microsoft during the WORST Cyberattack in History.” Fast Company. Fast Company, 07 Sept. 2021. Web. 09 Sept. 2021.

20. Welsh, Teresa. “Views You Can Use: Chinese Hackers Accused of Economic Espionage.” US News. U.S. News & World Report L.P., 19 May 2014. Web.

21. Westby, Jody. “Russia Has Carried Out 20-years of Cyber Attacks That Call for International Response.” Forbes. Forbes Magazine, 20 Dec. 2020. Web. 07 Sept. 2021.

22. Windrem, Robert. “Timeline: Ten Years of Russian Cyber Attacks on Other Nations.” NBCNews.com. NBCUniversal News Group, 27 Mar. 2017. Web. 09 Sept. 2021.

23. Wiseman, Paul. “In Trade Wars of 200 Years Ago, the Pirates Were Americans.” AP NEWS. Associated Press, 28 Mar. 2019. Web. 09 Sept. 2021.