Defend and dissuade – Microsoft on issues

Last week Microsoft announced that Nobelium, a skilled hacking group associated with the Russian SVR and behind the SolarWinds attack last year, was engaged in phishing attacks targeting thousands of accounts at hundreds of government agencies and defense of human rights. Today we provide an update on our ongoing investigation into these attacks and share important context as we have all had the opportunity to learn more.

As we have informed our targeted customers and closely monitored other reports, we still see no evidence of a significant number of compromised organizations at this time. Antivirus services, such as Microsoft Defender Antivirus, and endpoint detection and response products, such as Microsoft Defender for Endpoint, identify and protect against malware used in this wave of attacks and work in conjunction with Microsoft Defender for Office 365. We will continue to monitor the situation, but for now, this is good news.

We should also start to put in context the wave of attacks last week. Why was it important to disclose these attacks? What is the significance of these attacks? And what do we think should be done?

At Microsoft, we receive more than eight trillion signals from our network every day. Our cybersecurity experts use cutting edge technology and deep experience to analyze this data for signs of attacks so that we can educate and protect our customers. We also share information about attacks we discover with the public so that other members of government and the private sector can take action to defend against adversaries and so that decision makers can be well informed.

It was important to disclose last week’s phishing attacks as they were evidence of a new campaign by a sophisticated adversary. We have seen and publicly shared Nobelium’s extensive experimentation in the early stages of its campaign – experiments consistent with Nobelium’s established practice to avoid detection and remain persistent in victim networks. We wanted the advocacy community in government and the private sector to have this technical information as soon as possible. Our disclosure has already ceded benefits because CISA, the US agency most responsible for our civilian cyber defense, has used our information to identify and help protect more potential victims.

But not all attacks are the same, so not all attacks require the same response. Last week’s phishing attacks were a far cry from the ransomware attacks that in recent years have shut down local government agencies across the United States, halted healthcare, and more recently halted the flow of oil into the United States. the colonial pipeline.

So how should the government respond to last week’s attacks? Some argue that governments have been spying on each other for millennia and will continue to do so in the Internet age. They say last week’s phishing attacks were “espionage as usual” and therefore do not require any meaningful government response. Let’s take a look at this statement, with which we largely agree, comparing last week’s phishing to Nobelium’s SolarWinds attacks last year.

The SolarWinds attacks have also been called “espionage as usual” by some. We do not agree. SolarWinds attacks can be distinguished from expected espionage in two important ways. First, the attack corrupted and used the SolarWinds software update process. Online updates allow all vendors to protect their customers and should be trusted. Malicious use of updates destroys that trust and puts the security of the entire digital ecosystem at risk. In addition, SolarWinds attacks were carried out indiscriminately. Although the malware that opened back doors to the attacker was installed in more than 18,000 networks, the US government found only a hundred victims whose backdoors were actually used for espionage. . This too broad and indiscriminate attack caused business disruption and unnecessarily imposed large costs on 18,000 organizations and businesses. It is not about espionage as usual. Last week’s phishing attacks, on the other hand, focused on espionage targets and failed to corrupt a central process critical to the security of the digital ecosystem. And, in part due to early detection and the right defensive technology, last week’s attacks mostly failed.

However, larger attacks on nation states continue to occur. With SolarWinds, the Exchange Server attacks since the start of this year, and now this phishing attack, it’s clear that we need to accelerate the work being done by the private sector and government to address our collective cybersecurity.

First, we must work to defend better. The best defense is moving to the cloud, where the most secure technology from any cloud provider is always up to date and the fastest security innovations are happening. All users should also use two-factor authentication and other basic cybersecurity hygiene rules. The Biden administration has taken an important step forward in advancing our defense by issuing the recent Executive Order on Cyber ​​Security. This OE, which will require close collaboration between the public and private sectors to be fully implemented, will dramatically improve the security of government agencies and the technology ecosystem in general. The OE reflects this administration’s unprecedented commitment to cybersecurity. During the Hafnium / Exchange Server attacks earlier this year, the White House also led the formation of an informal task force and a formal uniform coordination group that included, for the first time, the private sector and government agencies, creating coordinated efforts that had only minor impacts from these attacks. We must continue to work collectively to improve our defense.

Second, we must work to deter damaging attacks. Here again, this administration has already taken important steps. He attributed SolarWinds to Russian intelligence agency SVR faster than the United States has ever publicly attributed a cyberattack to a foreign country. He also imposed sanctions for this and other actions – a critical step in deterrence. Yes, more will have to be done. Clearer rules for the conduct of nation states must be defined and accepted by the international community, and clear and expected sanctions must be communicated for violations of these rules. For example, what exactly is “spying as usual” that should be tolerated and when is this line crossed? Progress is being made with the Paris Call for Confidence and Security in Cyberspace, launched in 2018, which we hope the United States will now join. Recent United Nations processes are also leading to consensus reports that will strengthen the international effort to define these rules, and the Oxford process brought together the world’s foremost experts on international law to define how international law applies to the world. cyberspace. These are all encouraging steps.

Progress must continue. At Microsoft, we will continue our efforts on all of these issues and will continue to work in the private sector, with the Administration and with all other interested governments to make this progress. Achieving stability will take time and work, but it will be time well spent.

Tags: cyberattacks, cybersecurity, malware, Nobelium, phishing, SolarWinds

Source link

About Gail Mena

Gail Mena

Check Also

Los Gatos and Campbell Agencies buy home for disabled adults – The Mercury News

Life Services Alternatives Inc., a Campbell-based nonprofit that has operated homes for local adults living …

Leave a Reply

Your email address will not be published. Required fields are marked *