WASHINGTON: Foreign threat actors targeting the defense industry are not content with just stealing secrets.
“The game has changed,” Kellerman said in a recent interview with Breaking Defense. “Now the enemy doesn’t just want to break into arms company x and steal national secrets. The enemy wants to break into arms company x and then use its digital transformation to attack government agencies. “
Usually viewed as an IT infrastructure company best known for its cloud computing and virtualization technology, VMware counts federal agencies, NATO countries, and Five Eyes partners among its cybersecurity customers. It is one of the original 15 companies in the new cybersecurity and infrastructure security agency Joint Cyber Defense Collaborative or JCDC.
VMware recently released its newest Incident Response Global Threat Report, with the company saying that more than 100 industry respondents surveyed reported “integrity and destructive attacks” 51% of the time, while two-thirds of respondents reported 81% of such attacks.
Likewise, Kellerman said that while it did not happen on a “systematic, scalable level,” his team saw a “surge in destructive attacks, [data] Wipers deployed on systems, ransomware Not Petya-Style where they don’t ask for ransom. You are trying to paralyze the systems and attack the integrity of the data itself. “
In particular, Kellerman noticed a “spike” in the manipulation of timestamps, which VMware calls the “Chronos attack” and which is observed with increasing frequency. He said there has also been a “surge” in “Incident Defense” with opponents “really hitting back and attacking defenders to stay on the systems”.
Kellerman said he believed developments were “directly in line with geopolitical tensions” between the US and other Western countries on the one hand and Russia and Belarus on the other. Last week, cybersecurity company Mandiant showed “high confidence” in a link between the Belarusian government and the multi-year ongoing cyber espionage and intelligence operation campaign “Ghostwriter”.
Kellerman also said that the “unprecedented level of tension” between the US and Russia has been “gushing into cyberspace” with more aggressive campaigns by threat actors. NOBELIUM, the Russia-related threat group suspected behind the SolarWinds attack. But Kellerman said NOBELIUM’s other operations are potentially “100 times more significant than SolarWinds, as it seeks to partner-command the technology infrastructure and digital transformation of the US government and then use those footprints to attack the government itself “.
RELATED: Russian ‘SolarWinds’ Hackers Launch New Attack on IT Supply Chain, Microsoft Says
Kellerman added that the escalation of cyber attacks against the defense industry base “is compounded by the fact that the Chinese have been very active”. But, he said, “the Chinese don’t use destructive attacks like the Russians do.”
And Kellerman has hinted that there are signs that Russians and Chinese are stepping up cooperation on cyber operations.
“The Shanghai cooperation [Organization] goes well beyond economic cooperation between Russia and China, as demonstrated by joint military maneuvers, ”said Kellerman. “And these joint military maneuvers are not limited to the physical landscape of the world. The nature of what we have before us is quite significant. “
Kellerman’s comments on Breaking Defense came a day before former CISA director Chris Krebs warned a professional audience of the current “frightening environment.” Krebs said that many countries have “destructive” cyber capabilities and that, in his view, it is only a matter of time before someone uses those capabilities against US infrastructure. Such an attack, if ever materialized, would be viewed by US officials as a major escalation.
VMware’s cybersecurity expertise grew when the company acquired Carbon Black in August 2019 when Kellerman joined VMware. Carbon Black’s technology was developed in the National Security Agency’s iconic Office of Tailored Access Operations, the NSA’s offensive intelligence agency.
Kellerman told Breaking Defense that the destructive and data integrity attacks “are not happening on a systemic, scalable level, but they do happen when you see this escalation into more punitive retaliation by these threat actors, who are not all part of the intelligence community in these countries by the way.”
Kellerman said this will require defense companies to adopt active defense techniques, which, according to the VMware report, “span a spectrum of activity from deception technology to hacking-backs.” Congress passed a law this summer that would require the Department of Homeland Security to conduct a study that would allow some companies to hack back and then come up with policy recommendations.
Kellerman said neither he nor VMware endorses companies hacking back, but encourages companies to look at other active defense techniques like deception networks and microsharding data.