The recent expansive intrusion campaign of over half a dozen government agencies through malicious backdoors in the SolarWinds Orion platform dubbed the SUNBURST/Solorigate is already one of the most significant acts cyber espionage in history.
According to Recorded Future, the intrusion appears to have been intended for information theft and espionage instead of other intrusions that aim for destruction. This places the campaign within the realm of counterintelligence.
FireEye has named the actor behind this intrusion “UNC2452,” and Volexity dubbed the threat actor “Dark Halo,” stating that the actor is the same as UNC2452 FireEye has not substantiated that claim.
Washington Post correspondent Ellen Nakashima also cited unnamed government sources claiming that Russian actors, namely APT29, are responsible for the attack. Members of the US Congress have also publicly accused Russia — the Russian Foreign Intelligence Service (SVR) in particular — as the responsible party.
The evidence made available to the public for these claims is few and far between. Jake Williams, who runs Rendition Security, has also said that technical evidence is forthcoming. Still, it cannot be disclosed without tipping off those guilty of the crime to any mistakes made and giving them the means to cover their tracks.
According to John Wetzel, who wrote for the Recorded Future, properly conducted intelligence analysis combats bias and provides strategic and tactical guidance for responses.
“At the strategic level, we can be assured that responses are coordinated and proportional. At the tactical level, defenders can apply intelligence to seed proactive activities, such as hunting for behaviors after indicators run dry,” he wrote.
According to Wetzel, the goal of their analysis was “not to conclusively attribute this attack, but rather to review existing data through the lens of intelligence analysis and contribute to the conversation on adversary tracking.”
This is where you can read or download their complete report.