WASHINGTON: Not content to just steal secrets, foreign threat actors targeting the defense industrial base are increasingly becoming more belligerent when encountered by incident response teams, actively engaging cyber defenders and sometimes turning to destructive attacks when pressed, according to VMware cybersecurity chief Tom Kellerman.
“The game has changed,” Kellerman told Breaking Defense in a recent interview. “The adversary now doesn’t just want to break into defense contractor x and steal national secrets. The adversary wants to break into defense contractor x and then use their digital transformation to attack government agencies.”
VMware, usually viewed as an IT infrastructure company best known for its cloud computing and virtualization tech, counts federal government agencies, NATO countries, and Five Eyes partners among its cybersecurity clients. It’s one of the original 15 companies in the Cybersecurity and Infrastructure Security Agency’s new Joint Cyber Defense Collaborative, or JCDC.
VMware recently released its latest Global Incident Response Threat Report, wherein the company says more than 100 industry respondents polled reported experiencing “integrity and destructive attacks” 51% of the time, while two-thirds of respondents report these types of attacks 81% of the time.
Likewise, Kellerman said that while it hasn’t happened at a “systematic, scalable level,” his team has seen a “surge in destructive attacks, [data] wipers being deployed on systems, ransomware NotPetya-style, where they’re not asking for ransom. They’re trying to cripple the systems and attack the integrity of data itself.”
In particular, Kellerman noted a “spike” in the manipulation of timestamps, which VMware calls a “Chronos attack” and has been observing more frequently. He said there’s also been a “surge” in “counter-incident response,” wherein adversaries are “really fighting back and engaging defenders in a bid to stay on systems.”
Kellerman said he believed the developments are “directly in line with geopolitical tensions” between the US and other Western countries on one side and Russia and Belarus on the other. Last week, cybersecurity company Mandiant revealed “high confidence” in a link between the Belarus government and the multi-year, ongoing “Ghostwriter” cyberespionage and information operations campaign.
Kellerman also said the “unprecedented level of tension” between the US and Russia is “bubbling over into cyberspace” via more aggressive campaigns by threat actors such as NOBELIUM, the threat group linked to Russia and the one suspected behind the SolarWinds attack. But Kellerman said NOBELIUM’s other operations are potentially “100 times more significant than SolarWinds in that it’s attempting to commandeer technology infrastructure and the digital transformation of the US government through partners and then using those footprints to then attack the government itself.”
Kellerman added that the escalation of cyberattacks against the defense industrial base “is compounded by the fact that the Chinese have been very active.” But, he said, “the Chinese don’t leverage destructive attacks like the Russians.”
And Kellerman did suggest there are signs that the Russians and Chinese are increasing collaboration on cyber operations.
“The Shanghai Cooperation [Organization] goes far beyond economic cooperation between Russia and China, as evidenced by joint military maneuvers,” Kellerman said. “And those joint military maneuvers are not limited to the physical landscape of the world. The nature of what we’re facing here is quite significant.”
Kellerman’s comments to Breaking Defense came one day before the former director of CISA Chris Krebs warned an industry audience of the current “scary environment.” Krebs said many countries have “destructive” cyber capabilities and that, in his view, it’s just a matter of time before someone leverages those capabilities against US infrastructure. Such an attack, were it to ever materialize, would be viewed by US officials as a major escalation.
VMware’s cybersecurity expertise grew when it acquired US company Carbon Black in August 2019, which is when Kellerman joined VMware. Carbon Black’s tech was developed in the National Security Agency’s storied Office of Tailored Access Operations, which is the NSA’s offensive intelligence arm.
Kellerman told Breaking Defense the destructive attacks and attacks on data integrity are “not happening at a systemic, scalable level, but they’re happening as you see this escalation to more punitive retribution by these threat actors, not all of which are part of the intelligence services, by the way, of these countries.”
Kellerman said this necessitates defense industrial base companies adopting active defense techniques that include, according to the VMware report, “a spectrum of activity that ranges from deception technology to hacking back.” Congress introduced legislation this summer that would require the Department of Homeland Security to study allowing some companies to hack back and then develop policy recommendations.
Kellerman said neither he nor VMware advocate for companies hacking back, but rather urge companies to look at other active defense techniques, such as deception networks and microsharding data.