I’ve had multiple people (mostly executive leadership) ask me whether they should be concerned about destructive cyberattacks in the #SolarWinds incident. Two have cited elevated concerns because of attribution to Russia and the history of NotPetya. 1/
Obviously predictions in cyber age REALLY poorly, so evaluate this as lower quality as time marches on.
That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
That said, I define a threat as the intersection of intent, opportunity, and capability. Let’s discuss each of these in the context of what we know about this threat actor. 2/
Capability: there’s no question that this very capable threat actor has the capability to perform destructive cyberattacks. Ignoring the fact that almost everyone does, Russia has demonstrated the ability with NotPetya and even against critical infrastructure with LightsOut. 3/
Opportunity: there’s no question they had the opportunity, though since the initial callback domain has been seized, the wider scale opportunity is gone.
There’s no doubt they can still wreak havoc in many networks, but the widest scale destructive attacks are now out. 4/
There’s no doubt they can still wreak havoc in many networks, but the widest scale destructive attacks are now out. 4/
Intent: this is where we have to rely on history a bit. We know that these operations are likely for intelligence value vs for use as a destructive cyberattack. Why?
1) the victims picked for follow on actions that we know of are all obvious intelligence targets. 5/
1) the victims picked for follow on actions that we know of are all obvious intelligence targets. 5/
2) Even if the SolarWinds breach was intended to be used to position for a destructive cyberattack, they knew that window would close the second FireEye announced their breach. If the intent was to be destructive, that’s changed now. 6/
3) When considering a cyber access, you can use it to collect intelligence or deliver an effect, but generally not both. There’s little doubt that Russia needed the intelligence access substantially more after November 3rd. This isn’t meant to be political. 7/
The reality is that with ANY administration change, you would have increased intelligence requirements to understand policy changes, intent, etc.
Whatever the intent WAS, it almost certainly changed after November 3rd. 8/
Whatever the intent WAS, it almost certainly changed after November 3rd. 8/
4) The administration change makes a destructive cyberattack against US targets risky. Biden is a wild card when it comes to his response. I just don’t see this being a good risk decision for the Russians. 9/
So there are my thoughts on intent, opportunity, and capability in this case. I assess with moderate-high confidence that regardless of the original intent, this access will not be used for destructive cyberattacks. /10
As per usual for long tweet threads, this one was also brought to you by Cypher, who was best boi and didn’t pull while I was typing. /FIN 
• • •
Missing some Tweet in this thread? You can try to
force a refresh
