Thursday, 31 December 2020
Government steals more powers from UK Parliament in draconian EU (Future Relationship) Act
This excellent, if shocking, blog was posted yesterday by legal commentator David Allen Green. It comoplements my own blog from yesterday on the serious democratic deficit of the Brexit deal in respct of the diminished role of the UK Parliament. I reproduce it unaltered.
The Bill implementing the Trade and Cooperation Agreement is an exercise in the Government taking power from Parliament
https://davidallengreen.com/2020/12/the-bill-implementing-the-trade-and-cooperation-agreement-is-an-exercise-in-the-government-taking-power-from-parliament/
30th December 2020
Today Parliament will be expected to pass, in one single day, the legislation implementing the Trade and Cooperation Agreement into domestic law.
This situation is exceptional and unsatisfactory.
The bill is currently only available in draft form, on the government’s own website.
As you can see, this means that ‘DRAFT’ is inscribed on each page with large unfriendly letters.
And we are having to use this version, as (at the time of writing) the European Union (Future Relationship) Bill is not even available parliament’s ‘Bills before Parliament’ site.
The draft bill is complex and deals with several specific technical issues, such as criminal records, security, non-food product safety, tax and haulage, as well as general implementation provisions.
Each of these specific technical issues would warrant a bill, taking months to go through the normal parliamentary process.
But instead they will be whizzed and banged through in a single day, with no real scrutiny, as the attention of parliamentarians will (understandably) be focused on the general implementation provisions, which are in Part 3 of the draft bill.
And part 3 needs this attention, as it contains some remarkable provisions.
*
Clause 29 of the draft bill provides for a broad deeming provision.
(Note a ‘clause’ becomes a ‘section’ when a ‘Bill’ becomes enacted as an ‘Act’.)
The intended effect of this clause is that all the laws of the United Kingdom are to be read in accordance with, or modified to give effect to, the Trade and Cooperation Agreement.
And not just statutes – the definition of ‘domestic law’ covers all law – private law (for example, contracts and torts) as well as public law (for example, legislation on tax or criminal offences).
It is an ingenious provision – a wave of a legal wand to recast all domestic law in whatever form in accordance with the agreement.
But it also an extremely uncertain provision: its consequences on each and every provision of the laws of England and Wales, of Northern Ireland, of Scotland, and on those provisions that cover the whole of the United Kingdom, cannot be known.
And it takes all those legal consequences out of the hands of parliament.
This clause means that whatever is agreed directly between government ministers and Brussels modifies all domestic law automatically, without any parliamentary involvement.
*
And then we come to clause 31.
This provision will empower ministers (or the devolved authorities, where applicable) to make regulations with the same effect as if those regulations were themselves acts of parliament.
In other words: they can amend laws and repeal (or abolish) laws, with only nominal parliamentary involvement.
There are some exceptions (under clause 31(4)), but even with those exceptions, this is an extraordinarily wide power for the executive to legislate at will.
These clauses are called ‘Henry VIII’ clauses and they are as notorious among lawyers as that king is notorious in history.
Again, this means that parliament (and presumably the devolved assemblies, where applicable) will be bypassed, and what is agreed between Whitehall and Brussels will be imposed without any further parliamentary scrutiny.
*
There is more.
Buried in paragraph 14(2) of schedule 5 of the draft bill (the legislative equivalent of being positioned in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard’) is a provision that means that ministers do not even have to go through the motions of putting regulations through parliament first.
Parliament would then get to vote on the provisions afterwards.
This is similar to the regulations which the government has been routinely using during the pandemic where often there has actually been no genuine urgency, but the government has found it convenient to legislate by decree anyway.
Perhaps there is a case that with the 1st January 2021 deadline approaching for the end of the Brexit transition period, this urgent power to legislate by decree is necessary.
But before such a broad statutory power is granted to the government there should be anxious scrutiny of the legislature.
Not rushed through in a single parliamentary day.
*
There are many more aspects of this draft bill which need careful examination before passing into law.
And, of course, this draft bill in turn implements a 1400-page agreement – and this is the only real chance that parliament will get to scrutinise that agreement before it takes effect.
You would not know from this draft bill that the supporters of Brexit campaigned on the basis of the United Kingdom parliament ‘taking back control’.
Nothing in this bill shows that the Westminster parliament has ‘taken back control’ from Brussels.
This draft bill instead shows that Whitehall – that is, ministers and their departments – has taken control of imposing on the United Kingdom what it agrees with Brussels.
And presumably that was not what Brexit was supposed to be about.
*****
This law and policy blog provides a daily post commenting on and contextualising topical law and policy matters – each post is published at about 9.30am UK time.
Each post takes time, effort, and opportunity cost.
If you value the free-to-read and independent legal and policy commentary both at this blog and at my Twitter account please do support through the Paypal box above.
Or become a Patreon subscriber.
You can also subscribe to this blog at the subscription box above (on an internet browser) or on a pulldown list (on mobile).
*****
This blog enjoys a high standard of comments, many of which are better and more interesting than the posts.
Comments are welcome, but they are pre-moderated.
Wednesday, 30 December 2020
Democratic deficit in scrutinising Brexit Bill
These are the four best speeches in Parliament - two in the Houise of Commons, two in the Lords- this afternoon, highlighting the 'democratic deficit' in scrutinising the Brexit bill:
House of Commons, 12.59pm
https://hansard.parliament.uk/commons/2020-12-30/debates/9E132CEF-83CA-40BA-B8B4-A7127A968B68/EuropeanUnion(FutureRelationship)Bill
Clive Lewis
(Norwich South) (Lab)
Members of this House have been recalled to vote on legislation of which we were given no sight until yesterday, to implement a trade deal that we have barely seen and had no input into whatsoever. Let us be clear about what is being asked of the House today: to issue a blank cheque to the Government to implement a deal that is devoid of democratic oversight.
Let us also put to bed the idea that today’s vote is about deal versus no deal—that false framing is used to hold the House to ransom. Members are today tasked with the democratic oversight of how a done deal, which we cannot amend, will be implemented. Does the restoration of sovereignty not extend to democratic oversight by elected Members of this House, or is sovereignty to be restored only to the Executive? It is a great irony that Members are allowed less democratic oversight of the deal’s implementation than our friends in the European Parliament, who have until the end of February to scrutinise and ratify the deal.
Change was what the public were promised: more control over lawmaking, more power for people in this country, and less done by bureaucrats behind closed doors. How are those promises fulfilled through less scrutiny, less accountability and less democracy? Where in the Bill is a clause restoring sovereignty to where it should rightfully be—with the people of this country? Change was demanded and more control was promised, yet what we are presented with today is, ironically, more of the same: unaccountability; power concentrated in the hands of a few; and an over-centralised Government evading scrutiny to act in favour of vested interests and to impose decisions from the top down.
With mere hours to debate the Bill, Members are being asked to act as a rubber stamp, and to forgo our obligation and responsibility for democratic oversight. For example, many of the regulatory bodies and mechanisms used to settle disputes between the EU and the UK will be set up without any further scrutiny or oversight by Parliament. Brexit has shone a light on the deep democratic deficits in our arcane political system. Making good on this change demanded a new and codified constitution to give over sovereignty from this place to where it should rightfully lie—with the people of this country. We now urgently need to forge a modern democratic settlement to protect the hard-won rights and freedoms that are at risk of being run over roughshod by this Executive, who we know are champing at the bit to capitulate to the deregulatory demands of turbo-charged capitalism.
I cannot in good conscience support a process that runs roughshod over checks and balances. I will not vote for more centralisation of power or comply with the erosion of an already weak democracy. I will play no part in giving this Government a blank cheque to bulldoze through democratic oversight. I will not be voting in support of this legislation.
1.25pm
Caroline Lucas
(Brighton, Pavilion) (Green) [V]
This hardest of Brexit deals, for which there is no mandate, is one that cuts British jobs, sidelines our services sector, undermines hard-won protections for the environment, workers’ rights and consumers, and turns Kent into a diesel-stained monument to hubris and political myopia. It is a deal that condemns us to live in a poorer, more unequal and more isolated Britain, and it leaves us less equipped to rise to the greatest challenge we face—the nature and climate emergencies. This deal does not have the explicit informed consent of the British people, and I shall vote against it later today.
Some will say that those of us who voted down some less-damaging forms of Brexit must take some responsibility. I can see that argument, but given such a narrow referendum result on the back of the most cynical, toxic and mendacious political campaign ever fought in this country and on an issue of such profound national importance, I believe it was right to campaign for a confirmatory referendum on the terms of any departure.
I want to tackle head-on the ludicrous accusation that to vote against this deal is to support no deal. That is clearly not the case. Whatever the Opposition parties do, sadly, the Government have a majority of 80 and this deal will pass. That is why I do regret the official Opposition’s decision to vote for a deal that they themselves admit will make this country poorer and hit the most vulnerable hardest of all. Now more than ever people deserve principled leadership based on conviction, not party political calculation. While I understand why some would prefer to abstain, abstention is still acquiescence. It is standing aside and allowing something to be passed into law that is harmful for this country.
There are some things so serious and so damaging in which we should not acquiesce. I am not prepared to acquiesce in the infliction of even greater economic hardship on my constituents. At this time of climate and nature emergency, I am not prepared to acquiesce in lower environmental standards and less rigorous enforcement of them. I will not be complicit in the creation of a smaller United Kingdom, with diminished global influence.
I will not turn my back on a project that is imperfect—yes, of course it is; what project of such ambition would not be?—but is based on one of history’s greatest and most noble experiments: bringing nations together to build peace out of the ruins of war. Now more than ever, in a world racked by insecurity and division, we should be cementing relationships with countries that share our values, not deliberately and knowingly cutting our ties with them.
I will not abandon what I believe, and I believe that leaving the EU is a profound mistake. Ironically, and too late, a majority of people in this country now agree. Voting against this deal is how we keep alive the belief in something better, and that is what I will do today.
https://hansard.parliament.uk/lords/2020-12-30/debates/1A699CA6-A2A3-43FF-89C2-6D6BAE2EFDB1/EuropeanUnion(FutureRelationship)Bill
House of Lords, 3.53pm
Baroness Taylor of Bolton
(Lab) [V]
My Lords, I speak as chair of the Constitution Committee and I say at the outset that this Bill elevates to a new level our concern about the way the Government present legislation to Parliament. The Bill fails all the tests for achieving good-quality legislation. It is long and complex and gives significant new powers to the Executive. We have not had anywhere near enough time to scrutinise the Bill as we would wish, and in any other circumstances the Constitution Committee would issue a detailed, thorough and critical appraisal of it. However, the committee did meet yesterday, and we published our immediate response. We acknowledged that the fast-tracking of the Bill is now necessary, but only because of the Government’s own actions ahead of the cliff edge of 31 December.
On the substance of the Bill, we noted that a prominent argument for the UK leaving the EU was to take back control of our laws—for laws to be determined by the UK Parliament, rather than the EU’s lawmaking bodies. Asserting the sovereignty of the UK Parliament was considered of such importance that it was included in the European Union (Withdrawal Agreement) Act 2020. It is regrettable that the Bill, which determines how the UK’s future relationship with the EU will be implemented into UK law, was published less than 24 hours before parliamentary scrutiny was due to begin. This does not allow Parliament much by way of control. This is the core of our concern. If, as the Government say, powers are coming back from the EU, where do those powers go? Are the Executive taking all these to themselves? What does this mean for the relationship between Parliament and the Government? Can this House fulfil its constitutional responsibilities?
In the Explanatory Notes, the Government say:
“The Bill is not suitable for post legislative scrutiny”.
We very much disagree, because the content of the trade and co-operation agreement cannot be amended by Parliament, but the mechanisms used by the Bill to rewrite UK domestic law to implement this have significant and potentially long-lasting implications, particularly for the role of Parliament and for the devolved arrangements. The Constitution Committee therefore recommends that the House consider how best to conduct post-legislative scrutiny as soon as possible. We believe that the quality of such scrutiny will be an early and substantial test of whether or not Parliament possesses a significant tranche of returned powers. As the noble and learned Lord, Lord Judge, said, this is what increased parliamentary sovereignty requires.
3.57pm
Lord Purvis of Tweed
(LD)
My Lords, I was wondering last night what a cynical Government would do if they knew they could get only a poor deal because they had limited their own hand so much in negotiations. Leave it to the last minute? Issue inaccurate and misleading press statements when it was made? Allow only for minute scrutiny? Seek to prevent any post-legislative scrutiny and refuse to publish an impact assessment, perhaps? But, as others do, I love my country and it was a rather heartbreaking exercise, over the last few days, to read, side by side, the Conservative Government’s draft negotiating document for a free trade agreement, published on 19 May, and the final agreement. In almost every single area, from the betrayal of fishermen and Gibraltarians through to the vast new burdens on our businesses, the consistency and scale of the poor negotiating was laid bare in cold text.
The independent UK Trade Policy Observatory assessment stated:
“Even with the free trade agreement (FTA) announced on Christmas Eve, Brexit increases UK-EU trade costs, reduces trade between them, and requires resources for form-filling, queuing, etc. These in turn, lead to changes in consumption which reduce UK residents’ welfare.”
It goes on to a sobering conclusion:
“Exports of value added will fall by nearly 5.5% relative to a pre-Brexit scenario and GDP by 4.4%.”
My noble friends Lord Fox and Lady Kramer will outline this in more detail. The refusal yesterday of the noble Lord, Lord True, to commit to publishing an impact assessment, in direct contradiction to a letter he sent me in May, is likely to be seen more cynically by those communities and sectors that will be impacted most.
The punishing absence of services was expected, as the UK’s “red line” on securing services continuity turned to pink and then to a white flag ages ago. We knew some of the details of this already. The noble Lord, Lord Grimstone, was appointed Trade Minister from being chair of one of the UK’s biggest banks, and when he moved Barclays’ European headquarters and almost €200 billion in assets from London to Dublin last year, he said:
“We believe this will give us a competitive advantage”.
Those of us warning of the damage of this course were told, first, that we were scaremongering and then that we were sore losers, but I looked at the Leave.EU website archive and in the questions and answers it said this to the question of what impact leaving the EU would have on trade:
“The remaining EU member states will seek a trade agreement assuring the same level of free exchange of goods, services and capital as is the case today.”
They did not, and this promise was made in falsehood and fully realised in its egregious breach. However, the lies, tangled webs of deception and parliamentary obfuscations are nearly over, and we will have to deal with the consequences.
Liberal forebears joined together to ensure the widest benefit of free, fair and open trade well over a century ago. We fought relentlessly against Conservative protectionism at the turn of the last century. We split from the Conservative and National Government over their imposition of tariffs all round. Now, a century on, we need to try to militate against the worst elements of this poor agreement. We will have to be in the vanguard of supporting women entrepreneurs in the service sector to tackle the new barriers, helping our businesses export against the new burdens and supporting those wishing to seek advantage not by moving out of the UK but by staying in it and working with others to reconnect with Europe. I never thought we would need to rejoin this fight, but we do—we must, and we will with vigour.
Sunday, 27 December 2020
Nuclear trickery in Brexit deal
The Brexit trade agreement between the UK and EU of 24 December 2020 contains over 1200 pages, including annexes. (https://www.gov.uk/government/publications/agreements-reached-between-the-united-kingdom-of-great-britain-and-northern-ireland-and-the-european-union)
It includes an 18 page section on nuclear co-operation (https://ec.europa.eu/info/sites/info/files/draft_eu-uk_civil_nuclear_agreement.pdf) , which is strong on outlining the importance of nuclear safeguards, peaceful uses of nuclear materials and regulatory oversight.
Below I have extracted the key sections dealing with nuclear materials. It contains a surprising provision at the end that would render the atomic agreement invalid. Read on…
It opens with a Preamble:
OBSERVING that the United Kingdom and all Member States of the Community are parties to the
Treaty on the Non‐Proliferation of Nuclear Weapons, done at Washington, London and Moscow on 1
July 1968 and which entered into force generally on 5 March 1970, (the “NPT”);
REAFFIRMING the commitment of the Parties to ensuring that the international development and use
of nuclear energy for peaceful purposes shall further the objective of the non‐proliferation of nuclear
weapons;
REAFFIRMING the support of the Parties for the objectives of the NPT and their desire to promote
universal adherence to the NPT;
RECALLING the strong commitment of the United Kingdom, the Community and its Member States to
nuclear non‐proliferation, including the strengthening and efficient application of the related
safeguards and export control regimes under which cooperation in the peaceful uses of nuclear energy
between the United Kingdom and the Community is carried out;
RECOGNISING that the United Kingdom, as a nuclear‐weapon State under the NPT, has voluntarily
entered into the Agreement between the United Kingdom of Great Britain and Northern Ireland and
the International Atomic Energy Agency for the Application of Safeguards in the United Kingdom of
Great Britain and Northern Ireland in Connection with the Treaty on the Non‐Proliferation of Nuclear
Weapons and the Protocol Additional to that Agreement both done at Vienna on 7 June 2018
(hereinafter collectively referred to as the “United Kingdom‐IAEA Safeguards Agreement”);
NOTING that nuclear safeguards are applied in all Member States of the Community pursuant to both
the Treaty establishing the European Atomic Energy Community (the “Euratom Treaty") and the
safeguards agreements concluded between the Community, its Member States and the IAEA;
NOTING that the United Kingdom and all Member States of the Community participate in the Nuclear
Suppliers Group;
REITERATING commitments of the United Kingdom and the Member States of the Community to their
bilateral agreements in the peaceful uses of nuclear energy,
HAVE AGREED AS FOLLOWS:
Article 1 Objective
1. The objective of this Agreement is to provide a framework for cooperation between the
Parties in the peaceful uses of nuclear energy on the basis of mutual benefit and reciprocity and
without prejudice to the respective competences of each Party.
2. Cooperation under this Agreement shall be carried out exclusively for peaceful purposes.
3. The items subject to this Agreement shall only be used for peaceful purposes and shall not be
used for any nuclear weapon or nuclear explosive device, nor for research on or development of any
nuclear weapon or other nuclear explosive device or for any military purpose.
(i) “peaceful purpose” includes the use of nuclear material, including nuclear material derived by
one or more processes, non‐nuclear material, equipment and technology in such fields as electric
power and heat generation, medicine, agriculture and industry, but does not include fabrication of,
research on, or development of nuclear weapons or other nuclear explosive devices, or any military
purpose. A military purpose does not include provision of power for a military base drawn from any
power network, or production of radioisotopes to be used for medical purposes in a military hospital;
Article 3 Scope of nuclear cooperation
1. The cooperation in peaceful uses of nuclear energy envisaged between the Parties under this
Agreement may include:
(h) nuclear safeguards and physical protection
(k) regulatory aspects of the peaceful uses of nuclear energy;
2. The cooperation in specific areas set out in paragraph 1 may be implemented as necessary
through arrangements between a legal entity established in the United Kingdom and a legal entity
established in the Community, which the respective competent authority notifies to the other
competent authority as being duly authorised to implement such cooperation…
Article 4 Forms of nuclear cooperation
The cooperation described in Article 3 [Scope of nuclear cooperation] may take, but is not limited to,
the following forms:
(a) transfer of nuclear material…(b) exchange of information in areas of mutual interest, such as nuclear safeguards…
Article 5 Items subject to this Agreement
(a) nuclear material, non‐nuclear material, equipment or technology, transferred between the
Parties or their respective persons, whether directly or through a third party. Such nuclear material,
non‐nuclear material, equipment or technology shall become subject to this Agreement upon its entry
into the territorial jurisdiction of the receiving Party, provided that the supplier Party has notified the
receiving Party in writing of the transfer, and the receiving Party has confirmed in writing that such
item is or will be held subject to this Agreement and that the proposed recipient, if other than the
receiving Party, is an authorised person under the territorial jurisdiction of the receiving Party;
(b) nuclear material, non‐nuclear material or equipment used in, or produced through the use of,
items subject to this Agreement and as may be further determined in the administrative arrangements
established pursuant to Article 15 [Administrative arrangements];
(c) nuclear material, non‐nuclear material, equipment or technology, as determined in
accordance with the procedures set out in the administrative arrangements established pursuant to
Article 15 [Administrative arrangements] as being subject to this Agreement following the entry into
force of this Agreement;
3. Items to which this Agreement applies as referred to in paragraph 1 shall remain subject to
the provisions of this Agreement until it has been determined, in accordance with the procedures set
out in the administrative arrangements established pursuant to Article 15 [Administrative
arrangements], that:
(b) in respect of nuclear material, such nuclear material is no longer usable for any nuclear activity
relevant from the point of view of safeguards referred to in Article 6(1) [Safeguards] or has become
practicably irrecoverable; for the purpose of determining when nuclear material subject to this
Agreement is no longer usable or is no longer practicably recoverable for processing into a form in
which it is usable for any nuclear activity relevant from the point of view of safeguards, both Parties
shall accept a determination made by the IAEA in accordance with the provisions for the termination
of safeguards of the relevant safeguards agreement to which the IAEA is a party;
Article 6 Safeguards
1. Nuclear material subject to this Agreement shall be subject to the following conditions:
(a) in the Community, to the Euratom safeguards pursuant to the Euratom Treaty and to the IAEA
safeguards pursuant to the following safeguards agreements, as they may be revised and replaced,
and in accordance with the NPT:
(i) the Agreement between the Community's non‐nuclear weapon Member States, the
European Atomic Energy Community and the International Atomic Energy Agency, done
at Brussels on 5 April 1973 and which entered into force on 21 February 1977 (IAEA
INFCIRC/193) and the Agreement between France, the European Atomic Energy
Community and the International Atomic Energy Agency, done in July 1978 and which
entered into force on 12 September 1981 (IAEA INFCIRC/290); and
(ii) the Additional Protocols IAEA INFCIRC/193/Add.8, and IAEA INFCIRC/290/Add.1 signed in
Vienna on 22 September 1998 and which entered into force on 30 April 2004 on the
basis of the IAEA INFCIRC/540 (corrected) (Strengthened Safeguards System, Part II);
(b) in the United Kingdom:
(i) to the domestic safeguards system as implemented by the national competent authority;
and
(ii) to the IAEA safeguards pursuant to the United Kingdom‐IAEA Safeguards Agreement.
The key thing to understand is what is permitted action under INFCIRC/263.
Importantly, this Tripartite Agreement states at Article 14:
EXCLUSIONS ON GROUNDS OF NATIONAL SECURITY
“If the United Kingdom intends to make any withdrawals of nuclear material from the scope of this Agreement for national security reasons in accordance with Article l(c), it shall give the Community and the Agency advance notice of such withdrawal. If any nuclear material becomes available for inclusion within the scope of this Agreement because its exclusion for national security reasons is no longer required, the United Kingdom shall inform the Community and the Agency thereof in accordance with Article 62(c).”
(https://www.iaea.org/sites/default/files/publications/documents/infcircs/1978/infcirc263.pdf)
Nor was this provision a sleeping article, not applied by the UK, as the UK Government has stated in official disclosures that it has requested nuclear materials be removed from safeguards on more than 600 occasions since 14 August 1978, when the UK “voluntary” safeguards agreement entered into force. (http://www.onr.org.uk/safeguards/index.htm; http://www.onr.org.uk/safeguards/withdrawals.htm)
Thus the new nuclear agreement between the UK and EU, allows the militarization of the entire 140,000 kilogramme stockpile of plutonium in store at Sellafield. A nuclear warhead may be made with 5 kilogrammes.
2. In the event of the application of any of the agreements with the IAEA referred to in paragraph
1 being suspended or terminated for any reason within the Community or the United Kingdom, the
relevant Party shall, without delay, enter into an agreement with the IAEA which provides for
effectiveness and coverage equivalent to that provided for by the relevant safeguards agreements
referred to in point (a) or (b) of paragraph 1, or, if that is not possible:
(a) the Community, as far as it is concerned, shall apply safeguards based on the Euratom
safeguards system, which provides for effectiveness and coverage equivalent to that provided by the
safeguards agreements referred to in point (a) of paragraph 1 and the United Kingdom, as far it is
concerned, shall apply safeguards which provide for effectiveness and coverage equivalent to that
provided by the safeguards agreement referred to in point (b) of paragraph 1;
(b) or, if that is not possible, the Parties shall enter into arrangements forthe application of
safeguards, which provide for effectiveness and coverage equivalent to that provided by the
safeguards agreements referred to in point (a) or (b) of paragraph 1.
3. Both Parties agree to implement within their respective jurisdictions a robust and effective
system of nuclear material accountancy and control aiming to ensure that nuclear material subject to
this Agreement is not diverted from its peaceful use. Supervision, including inspections in the
installations holding nuclear material subject to this Agreement, shall be carried out in such a way that
the respective competent authorities can draw independent conclusions and, when necessary, require
appropriate corrective actions and monitor such actions.
Article 9 Transfers, retransfers and facilitation of trade
1. Any transfer of nuclear material, non‐nuclear material, equipment or technology carried out
pursuant to the cooperation activities under this Agreement shall be made in accordance with the
relevant international commitments of the Community, the Member States of the Community, and
the United Kingdom in relation to peaceful uses of nuclear energy as listed in Articles 6 [Safeguards]
and 7 [Physical protection] and in relation to the commitments undertaken by individual Member
States of the Community and the United Kingdom within the Nuclear Suppliers Group, as set out in
the Guidelines for Nuclear Transfers.
2. The Parties shall facilitate trade in items subject to this Agreement between themselves or
between persons established in the respective territories of the Parties in the mutual interest of
producers, the nuclear fuel cycle industry, utilities and consumers.
3. The Parties shall, to such extent as is practicable, assist each other in the procurement, by
either Party or by persons within the Community or under the jurisdiction of the United Kingdom, of
nuclear material..
4. The continuation of the cooperation envisaged in this Agreement shall be contingent upon
the mutually satisfactory application of the system for safeguards and control established by the
Community in accordance with the Euratom Treaty and of the system for safeguards and control
established by the United Kingdom.
6. Transfers of nuclear material, non‐nuclear material, equipment or technology and appropriate
services shall be carried out under fair commercial conditions. The implementation of this paragraph
shall be without prejudice to the Euratom Treaty and its derived legislation, and to the laws and
regulations of the United Kingdom.
7. Any retransfers of nuclear material.. subject to this Agreement outside the jurisdiction of the Parties shall only be made in the framework of the commitments undertaken by individual Member States of the Community and the United Kingdom within the Nuclear Suppliers Group. In particular, the Guidelines for Nuclear Transfers shall apply to retransfers of any items subject to this Agreement.
8. Written notifications in respect of transfers of items subject to this Agreement and retransfers
of non‐nuclear material, equipment and technology subject to this Agreement shall be exchanged in
accordance with the procedures set out in the administrative arrangements established pursuant to
Article 15 [Administrative arrangements].
10. When the Guidelines for Nuclear Transfers require the consent of the supplier Party, nuclear
material subject to this Agreement shall not be transferred beyond the territorial jurisdiction of the
receiving Party without the prior written consent of the supplier Party, except in accordance with
paragraph 11.
11. Upon entry into force of this Agreement, the Parties shall exchange lists of countries to which
retransfers of nuclear material, non‐nuclear material, equipment and technology by the other Party
pursuant to paragraphs 9 and 10 of this Article are authorised. Each Party shall notify the other Party
of changes to any of its lists of countries according to the procedures defined in the administrative
arrangements established pursuant to Article 15 [Administrative arrangements].
12. Where the United Kingdom or a Member State of the Community transfers technology subject
to this Agreement to a Member State that falls under the exception provided for in Article 5(4) [Items
subject to this Agreement], paragraphs 7 and 9 of this Article apply. The practical modalities for the implementation of this paragraph shall be defined in the framework of the administrative
arrangements established pursuant to Article 15 [Administrative arrangements].
Article 15 Administrative arrangements
1. The Parties, through their respective competent authorities, shall establish administrative
arrangements to implement this Agreement effectively. Such arrangements shall include the
procedures necessary for the competent authorities to implement and administer this Agreement.
2. Administrative arrangements established pursuant to this Article may be amended as
mutually determined in writing by the competent authorities.
3. Administrative arrangements may provide for the exchange of inventory lists in respect of the
items subject to this Agreement.
4. Administrative arrangements may set out the mechanisms for consultations between the
competent authorities.
5. The accounting of nuclear material and non‐nuclear material subject to this Agreement shall
be based on fungibility and the principles of proportionality and equivalence of nuclear material …
as set out in the administrative arrangements established pursuant to this Article.
Article 17 Applicable law
1. The cooperation provided for in this Agreement shall be in accordance with the respective
laws and regulations in force in the United Kingdom and within the Union and the Community as well
as with the international agreements entered into by the Parties, without prejudice to Article 18
[Existing agreements]. In the case of the Community, the applicable law includes the Euratom Treaty
and its secondary legislation.
Article 19 Joint Committee
1. A joint committee is hereby established by the Parties.
2. The composition of and procedures relating to the Joint Committee shall be set out in the
administrative arrangements established pursuant to Article 15 [Administrative arrangements].
3. The Joint Committee shall meet regularly, and at the request of either Party’s competent
authority, to supervise the implementation of this Agreement.
4. The functions of the Joint Committee shall include, but are not limited to, the following:
(a) exchanging information, discussing best practices, sharing implementation experience;
(b) establishing and coordinating working groups acting within the scope of this Agreement;
(c) identifying, discussing and consulting on technical issues;
(d) adopting recommendations for joint decisions to be made by the Parties when provided for
in this Agreement, including for joint decisions to amend this Agreement;
(e) acting as a forum for consultation, including in respect of dispute settlement;
(f) coordinating action for cooperation in non‐power uses of nuclear energy, in particular, in
order to minimise the risks of shortage of supply of medical radioisotopes, and to support the
development of novel technologies and treatments involving radioisotopes, in the interest of public
health; and
(g) acting as a technical forum for any other matters in respect of this Agreement.
Article 20 Consultation
At the request of either Party, representatives of the Parties shall meet when necessary to consult
with each other in the framework of the Joint Committee on matters arising out of the application of
this Agreement, to supervise its operation and to discuss arrangements for cooperation in addition to
those provided for in this Agreement. Such consultations may also take the form of an exchange of
correspondence.
Article 21 Settlement of disputes
1. The Parties shall promptly discuss in the Joint Committee any dispute between them
concerning the application, interpretation or implementation of this Agreement with a view to
resolving the dispute by negotiation. Any such discussion or negotiation may take the form of an
exchange of correspondence.
2. Any such dispute which is not settled by negotiation and mandatory consultations in the
framework of the Joint Committee shall, on the request of either Party, be submitted to an arbitral
tribunal which shall be composed of three arbitrators. Each Party shall designate one arbitrator and
the two arbitrators so designated shall elect a third, not a national of either Party, who shall be the
chairperson.
3. If within 30 days of the request for arbitration either Party has not designated an arbitrator,
the other Party to the dispute may request the President of the International Court of Justice to
appoint an arbitrator to the Party which has not designated an arbitrator. If within 30 days of the
designation or appointment of arbitrators for both the Parties the third arbitrator has not been
elected, either Party may request the President of the International Court of Justice to appoint the
third arbitrator.
4. A majority of the members of the arbitral tribunal shall constitute a quorum, and all decisions
shall be made by majority vote of all the members of the arbitral tribunal. The arbitral procedure shall
be established by the tribunal. The decisions of the tribunal shall be binding on both Parties and
implemented by them. The remuneration of the arbitrators shall be determined on the same basis as
that for ad hoc judges of the International Court of Justice. Any arbitral decision or award shall be
executed in compliance with all applicable legislation of the Parties and international law.
Article 22 Cessation of cooperation in case of serious breach
1. In the event that:
(a) either Party or any Member State of the Community is in serious breach of any of the material
obligations under Articles 1 [Objective], 5 [Items subject to this Agreement], 6 [Safeguards], 7 [Physical
protection], 9 [Transfers, retransfers and facilitation of trade], 10 [Enrichment], 11 [Reprocessing] or
15 [Administrative arrangements], or any other obligations under this Agreement as may be mutually
determined by the Parties in writing after consultations in the Joint Committee; or
(b) in particular, a non‐nuclear weapon Member State of the Community detonates a nuclear
explosive device, or a nuclear weapon Member State of the Community or the United Kingdom
detonates a nuclear explosive device using any item subject to this Agreement,
the other Party may, on giving written notification to that effect, suspend or terminate in whole or in
part the cooperation under this Agreement. In its notification, the Party shall identify the measures
which it considers to constitute a serious breach of obligations under this Agreement, specify the
provisions it intends to suspend or terminate and the date from which it intends to apply the
suspension or termination.
2. Before either Party takes action to that effect, the Parties shall consult in the framework of
the Joint Committee with a view to reaching an amicable resolution including a decision on whether
corrective or other measures are needed, and if so, the measures to be taken and the time‐scale within
which such measures shall be taken.
3. Suspension or termination pursuant to paragraph 1 shall be taken only if there has been a
failure to implement the corrective or other measures within the time determined by the Joint
Committee or, in the event of failure to find an amicable solution, within a reasonable period of time
but without delay.
4. A suspension shall cease to apply when the suspending Party is satisfied that the other Party
is complying with its obligations under this Agreement, whether of its own accord or as a result of a
decision of an arbitral tribunal.
5. In the event of suspension or termination of this Agreement, the supplier Party shall have the
right to require the return of items subject to this Agreement.
Article 24 Entry into force and duration
1. This Agreement shall enter into force on the first day of the month following that in which
both Parties have notified each other that they have completed their respective internal requirements
and procedures for establishing their consent to be bound.
2. This Agreement shall remain in force for an initial period of 30 years. Thereafter, this
Agreement shall be automatically renewed for additional periods of ten years, unless, at least six
months before the expiration of the initial 30‐year period or of any such additional ten‐year period, a
Party notifies the other Party by an exchange of diplomatic notes of its intention to terminate the
Agreement.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Guidance
Nuclear Cooperation Agreements: implementation guidelines for operators from 2021
https://www.gov.uk/government/publications/nuclear-cooperation-agreements-implementation-guidelines-for-operators
Technical guidance for nuclear operators on reporting requirements related to Nuclear Cooperation Agreements from 1 January 2021.
Published 27 June 2019
Last updated 24 December 2020 — see all updates
From:
Department for Business, Energy & Industrial Strategy and Office for Nuclear Regulation
Brexit transition: new rules for 2021
The UK has left the EU. This page tells you the new rules from 1 January 2021.
It will be updated if there’s new information about the UK’s deal with the EU that affects what you need to do.
Get your personalised list of actions and subscribe to email updates to find out when things change.
Documents
Nuclear cooperation agreements between the United Kingdom and international partners: implementation guidelines for nuclear operators
PDF, 348KB, 21 pages
UK-Euratom nuclear cooperation agreement - notice
HTML
Details
The UK and the European Atomic Energy Community (Euratom) have agreed a Nuclear Cooperation Agreement (NCA). This guidance is in the process of being updated.
This joint BEIS / ONR guidance covers future reporting requirements for operators. These reporting requirements will allow the UK to comply with Nuclear Cooperation Agreements and other obligations arising from international trade following the UK’s withdrawal from the European Atomic Energy Community (Euratom).
The guidance covers a number of areas, including:
• BEIS and ONR’s expectations on operators relating to relevant provisions of the Nuclear Safeguards (EU Exit) Regulations 2019
• export licensing requirements
It will take effect from 1 January 2021.
Published 27 June 2019
Last updated 24 December 2020 + show all updates
The Nuclear Safeguards (EU Exit) Regulations 2019
https://www.legislation.gov.uk/uksi/2019/196/contents/made
• UK Statutory Instrument 2019 No. 196
• Table of contents
-PART 1 Introduction
1.Citation and commencement.
2.Interpretation..Collapse -PART 2 Accountancy and control, records and the provision of information by an operator
3.Declaration of basic technical characteristics.
4.Programme of activities.
5.Particular safeguard provisions.
6.Accountancy and control of qualifying nuclear material.
7.Accountancy and control plan.
8.Replacement, amendment and revocation of accountancy and control plan.
9.Operation of an accountancy and control plan.
10.Operating records.
11.Accounting records.
12.Accounting reports.
13.Initial book inventory.
14.Inventory change report.
15.Material balance report and physical inventory listing.
16.Special report.
17.Unusual occurrences.
18.Reporting of nuclear transformations.
19.Additional reporting obligations arising from relevant international agreements and from obligations resulting from international trade.
20.Weight units and categories of qualifying nuclear materials..Collapse -PART 3 Exports and imports
21.Exports.
22.Imports.
23.Loss or delay during transfer.
24.Communication of change of date..Collapse -PART 4 Carriers and temporary storage agents
25.Carriers and temporary storage agents.
26.Intermediaries..Collapse -PART 5 Ores
27.Accounting records for ores.
28.Ore shipment and export reports..Collapse -PART 6 Qualifying nuclear material in the form of conditioned and retained waste
29.Stock list and accounting records for conditioned and retained waste.
30.Transfers of conditioned waste..Collapse -PART 7 Qualifying nuclear facility with limited operation and exemption
31.Declaration of basic technical characteristics, stock list and accounting records for qualifying nuclear facility with limited operation.
32.Exemption..Collapse -PART 8 Civil activities
33.Withdrawal from civil activities.
34.Qualifying nuclear facilities which are used partly for civil activities..Collapse -PART 9 Communication
35.Communication with the ONR..Collapse -PART 10 Safeguards equipment
36.Safeguards equipment.
37.Access to safeguards equipment.
38.Interference with safeguards equipment..Collapse -PART 11 The ONR
39.Inspections by the ONR.
40.Publication of information by the ONR.
41.ONR to provide an annual report to the Secretary of State.
42.Provision of information to the Agency..Collapse -PART 12 Offences
43.Offences..Collapse -PART 13 Notification to the Secretary of State
44.The Secretary of State may issue written advice.
45.Notification of receipt, production and transfer.
46.Form of notification.
47.Notification of change.
48.Continued application.
49.Interpretation..Collapse -PART 14 General
50.Extent.
51.General consequential and supplementary amendments Part 1 of Schedule 3.
52.General consequential amendments Part 2 of Schedule 3.
53.Transitional provisions.
54.Review..
Signature.Expand +SCHEDULE 1
.Expand +SCHEDULE 2The Components of an Accountancy and Control System.Expand +SCHEDULE 3Consequential and supplementary amendments for Nuclear Safeguards Act 2000 and related legislation
.Expand +SCHEDULE 4Transitional provisions
..
Explanatory Note..
.
Thursday, 24 December 2020
Boris Johnson: dissembler-in-chief on EU, as ever
In his evidence to the Scott Inquiry into arms exports to Iraq in the early 1990s, former Ministry of Defence senior civil servant Ian McDonald answered one question with the following epigrammatic observation: “Truth is a difficult concept.” (6 October 1993)
This certainly applies to Boris Johnson’s long and tortuous failed relationship to facts.
Hence, in his Christmas Eve 2020 Downing Street press conference to welcome the agreement between the UK and European Union on a trade and security agreement on UK Brexit from the EU, he asserted the European Court of Justice would have no further jurisdiction in the UK. This is untrue; and the prime minister must have known it was untrue when he uttered it. Does he care that he dissembles before the nation and an interested international audience?
In the Institute for Government’s briefing on the Northern Ireland Protocol it states:
The UK and EU will first try to resolve disputes via the joint committee where they will try to agree a solution.
If the committee cannot agree, then either the EU or the UK can request an arbitration panel. The EU and the UK will each nominate two members to the panel and agree a chair. If a party does not comply with a ruling, then it can impose a financial penalty. Moreover, parts of the agreement could also be suspended (except the part relating to citizens’ rights), although this should be temporary.
If a dispute relates to the interpretation of EU law, or whether the UK has complied with European Court of Justice (ECJ) judgements made before the end of transition, then the ECJ will have jurisdiction. This ruling will be binding on the arbitration panel.
The IfG comments: “This will be challenging both politically and legally to implement, principally down to the role of parliamentary sovereignty in the UK.”
(https://www.instituteforgovernment.org.uk/explainers/brexit-deal-withdrawal-agreement)
Article 12 of the NI Protocol, dated 17 October 2019, reads in full:
Article 12
Implementation, application, supervision and enforcement
1. Without prejudice to paragraph 4, the authorities of the United Kingdom shall be responsible for implementing and applying the provisions of Union law made applicable by this Protocol to and in the United Kingdom in respect of Northern Ireland.
2. Without prejudice to paragraph 4 of this Article, Union representatives shall have the right to be present during any activities of the authorities of the United Kingdom related to the implementation and application of provisions of Union law made applicable by this Protocol, as well as activities related to the implementation and application of Article 5, and the United Kingdom shall provide, upon request, all relevant information relating to such activities. The United Kingdom shall facilitate such presence of Union representatives and shall provide them with the information requested. Where the Union representative requests the authorities of the United Kingdom to carry out control measures in individual cases for duly stated reasons, the authorities of the United Kingdom shall carry out those control measures.
The Union and the United Kingdom shall exchange information on the application of Article 5 (1) and (2) on a monthly basis.
3. The practical working arrangements relating to the exercise of the rights of Union representatives referred to in paragraph 2 shall be determined by the Joint Committee, upon proposal from the Specialised Committee.
4. As regards the second subparagraph of paragraph 2 of this Article, Article 5 and Articles 7 to 10, the institutions, bodies, offices, and agencies of the Union shall in relation to the United Kingdom and natural and legal persons residing or established in the territory of the United Kingdom have the powers conferred upon them by Union law. In particular, the Court of Justice of the European Union shall have the jurisdiction provided for in the Treaties in this respect. The second and third paragraphs of Article 267 TFEU shall apply to and in the United Kingdom in this respect.
5. Acts of the institutions, bodies, offices, and agencies of the Union adopted in accordance with paragraph 4 shall produce in respect of and in the United Kingdom the same legal effects as those which they produce within the Union and its Member States.
6. When representing or assisting a party in relation to administrative procedures arising from the exercise of the powers of the institutions, bodies, offices, and agencies of the Union referred to in paragraph 4, lawyers authorised to practise before the courts or tribunals of the United Kingdom shall in every respect be treated as lawyers authorised to practise before courts or tribunals of Member States who represent or assist a party in relation to such administrative procedures.
7. In cases brought before the Court of Justice of the European Union pursuant to paragraph 4:
(a) the United Kingdom may participate in the proceedings before the Court of Justice of the European Union in the same way as a Member State; (EMPHASIS ADDED)
(b) lawyers authorised to practise before the courts or tribunals of the United Kingdom may represent or assist a party before the Court of Justice of the European Union in such proceedings and shall in every respect be treated as lawyers authorised to practise before courts or tribunals of Member States representing or assisting a party before the Court of Justice of the European Union.
(https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/840230/Revised_Protocol_to_the_Withdrawal_Agreement.pdf)
Wednesday, 23 December 2020
Torygraph confusion
Two letters sent to the Daily Telegraph this week:
Your leader “Nuclear failings” (Daily Telegraph, 15 December 2020) suffers from several errors of its own.
Firstly it wrongly asserts the new proposed giant nuclear power plants at Sizewell C and Bradwell B “will each produce seven per cent of the UK’s energy.” They would not, as you conflate energy with electricity.
Electricity is only one form of UK energy alongside fossil fuels such as gas and oil. These big plants would only provide much less than 1 percent of energy demand.
Secondly, you erroneously write about “non-carbon energy generation” when discussing these nuclear plants. Moreover, energy cannot be generated, only converted from one source (eg solar, wind, or uranium.
)
Also, nuclear power is not non-carbon or carbon-free, as Rachael Millward wrote a day earlier (“Will nuclear be the winner in Britain’s race to go net zero?” Business, December 14) wrote a day earlier.
Recent analysis published by Mark Jacobson, professor of civil and environmental engineering at Stanford University, California eg a detailed study “Review of solutions to global warming, air pollution, and energy security” (https://web.stanford.edu/group/efmh/jacobson/Articles/I/ReviewSolGW09.pdf) demonstrates nuclear power's CO2 emissions are between 10 to 18 times greater than those from renewable energy technologies.
Nuclear power will not provide any useful dent in curbing harmful emissions, when the carbon footprint of its full uranium ‘fuel chain’ is considered- from uranium mining, milling, enrichment ( which is highly energy intensive), fuel fabrication, irradiation, radioactive waste conditioning, storage, packaging to final disposal.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.
Ian Duncan Smith MP is right to point out that “scientists learnt about this ( virus) mutation back in September.”(“It is vital that the House of Commons scrutinises these harsh restrictions,” 21 December 2020)
Yet Boris Johnson told his Downing Street press conference on December 19th:”Yesterday afternoon, I was briefed on the latest data showing the virus spreading more rapidly... It appears this spread is now being driven by the new variant of the virus, which we first learned about earlier this week...Given the early evidence we have on this new variant of the virus..it is with a heavy heart that I must tell you we cannot continue with Christmas as planned.”
But was the Prime Minister being fast-and-loose with the truth on when and what the Government knew about the mutant virus? The evidence - from an academic paper published in early December, which must have been drawn to the attention of ministers – is yes.
Titled “Preliminary genomic characterisation of an emergent SARS-CoV-2 lineage in the UK defined by a novel set of spike mutations,” (written byAndrew Rambaut and 9 others, https://virological.org/t/preliminary-genomic-characterisation-of-an-emergent-sars-cov-2-lineage-in-the-uk-defined-by-a-novel-set-of-spike-mutations/563
it reported
“Recently a distinct phylogenetic cluster (named lineage B.1.1.7) was detected within the COG-UK surveillance dataset.….The two earliest sampled genomes that belong to the B.1.1.7 lineage were collected on 20-Sept-2020 in Kent and another on 21-Sept-2020 from Greater London. ..infections have continued to be detected in the UK through early December 2020.”
Boris Johnson said the Cabinet was informed on Friday of the implications of the viral mutation; Matt Hancock said four days earlier, that he had only just heard of the mutation.
This paper suggests they are both dissembling. The outstanding question is why did they stay silent, and not change policy much earlier, when the facts had changed?
Tuesday, 22 December 2020
Sizewell C documentation secrecy just a continuation of lack of transparency by the nuclear industry
Between 18 November and 18 December 2020, NNB Generation Company (SZC Co.) carried out a public consultation on the proposed changes (dated 23 October 2020)
for an Order Granting Development Consent for The Sizewell C Project.
The document launching this supplementary consultation noted: “In January 2021, SZC Co. will submit a formal application to change the Sizewell C DCO application, as well as some Additional Information (i.e. information that has been developed in response to continuing engagement with stakeholders and which adds to the detail available within the application (but does not change it)).”
One of the supplemental documents submitted by SZC co. was on “Main Development Site Flood Risk Assessment,” a not inconsequential matter, in the context of climate change –induced sea-level rise, and greater perturbations in extreme weather ( storms, rainfall increase etc) over the time period SZC would operate, if ever built.
(https://infrastructure.planninginspectorate.gov.uk/wp-content/ipc/uploads/projects/EN010012/EN010012-001715-SZC_Bk5_5.2_Appx1_7_MDS_Flood_Risk_Assessment_Part_1_of_14.pdf)
The new mini-consultation letter then added under the headline Information Redacted or Marked as Confidential, the following:
“The Procedural Decision requested clarification on the reasons for redactions and confidential marking on a number of the application documents. A summary of reasons is provided in Table 2.
SZC observes in these reasons for redaction that “comprehension of the report is not affected by this redaction.”
The Planning inspectorate was no convinced by this assertion, and responded in a rejoinder letter on 22 December stating it was dissatisfied with “the extent and nature of the commercially sensitive aspect of these documents” and pointedly asked “why this could not be redacted without rendering them incomprehensible?”
Here is the full section outlining the Planning Inspectorate’s disquiet with SZC Co’s secrecy.
Request for further clarification and documents from the Applicant
Confidential documents
“The Applicant’s response letter dated 16 November 2020 [AS-006] to the ExA’s procedural decision [PD-005] sets out at Table 2 a summary of its reasons for redactions and confidential markings. For certain documents [APP-292 to APP-295], the Applicant states that: “As these reports are not required in order for the Examining Authority to examine the application, we therefore request that these reports are withdrawn from the application.” However, the commercial sensitivity of the investigations and data set out in these Environmental Statement (ES) Appendices is not immediately apparent. Furthermore, they comprise part of the ES which was submitted as part of the application and considered as such when the decision [PD-001] to accept the application was made. The Applicant is therefore requested to provide a further explanation in relation to: (i) The extent and nature of the commercially sensitive aspect of these documents and why this could not be redacted without rendering them incomprehensible; (ii) The justification for them not being required in order for the ExA [Examining Authority] to satisfactorily examine the application and to properly assess the basis for the related conclusions and findings in the main parts of the ES.”
It adds:
The additional information that is sought in respect of these confidential documents will assist the ExA to assess the potential implications of that course of action and reach an informed decision on the question of their withdrawal.”
(National Infrastructure Planning, Planning Inspectorate, Document Reference: EN010012, 22 December 2020; https://infrastructure.planninginspectorate.gov.uk/wp-content/ipc/uploads/projects/EN010012/EN010012-002699-Sizewell%20PD4%20-%20Rule%2017%20VE%20Q.pdf)
This is just the latest of a very, very long line of unacceptable secrecy incidents by nuclear power plant operators, and demonstrates that notwithstanding their protestations as to transparency, they remain in fact addicted to secrecy.
Monday, 21 December 2020
Spreading the Truth: how Johnson dissembled (again) over Covid19
In an update on Covid-19 made to MPs in Parliament on 14 December, the Secretary of State for Health and Social Care [for England], Matt Hancock , revealed: “a new development in the virus itself. Over the past few days, thanks to our world-class genomic capability in the UK, we have identified a new variant of coronavirus, which may be associated with the faster spread in the south-east of England. Initial analysis suggests that this variant is growing faster than the existing variants. We have identified over 1,000 cases with this variant, predominantly in the south of England, although cases have been identified in nearly 60 different local authority areas and numbers are increasing rapidly. Similar variants have been identified in other countries over the past few months.
We have notified the World Health Organisation about this new variant, and Public Health England is working hard to continue its expert analysis at Porton Down. I must stress this point: there is currently nothing to suggest that this variant is more likely to cause serious disease, and the latest clinical advice is that it is highly unlikely that the mutation would fail to respond to a vaccine, but it shows that we have to be vigilant and follow the rules, and that everyone needs to take personal responsibility not to spread this virus.”
Two days later, on Wednesday 16 December at noon, Labour Party leader SirKeir Starmer asked Prime Minister Boris Jonson in the weekly parliamentary sparring session called Prime minister’s questions: “
It is now likely that the next big mistake will be over the easing of restrictions over Christmas—and it is not smarmy lawyers saying this. Let me tell the House what the British Medical Journal has said. The British Medical Journal said yesterday:
“we believe the government is about to blunder into another major error that will cost many lives.”
The Prime Minister should listen to that advice, not just ignore it as usual. If he really is going to press ahead with this, can he tell us what assessment has been done of the impact that it will have on infection rates and increased pressure on the NHS? What is the impact?
Johnson blustered in a dismissive reply
“I wish the right hon. and learned Gentleman had had the guts just to say what he really wants to do, which is to cancel the plans people have made and cancel Christmas. That is really, I think, what he is driving at. He is looking a bit blank; I think that is what he is driving at. But I can tell him that, as of today—just this morning—there is actually, as I say, unanimous agreement across the UK Government and across all the devolved Administrations, including members of all parties, including his own, that we should proceed, in principle, with the existing regulations, because we do not want to criminalise people’s long-made plans. We do think it is absolutely vital that people should at this very, very tricky time exercise a high degree of personal responsibility, especially when they come into contact with elderly people, and avoid contact with elderly people wherever possible. That is how, by being sensible and cautious, not by imposing endless lockdowns or cancelling Christmas, as he would appear to want to do—that is the only implication I can draw from what he has said, unless he wants to announce some other idea—we will continue to work together to keep this virus under control, to defeat it and take the country forward.”
(https://hansard.parliament.uk/commons/2020-12-16/debates/E24005A4-10B2-437F-AAB0-E6B864F23FE5/Engagements)
But a few days later, Johnson executed the latest of his now regular screeching policy U-turns: at 4 pm on Saturday 19 December, at 4 pm, from the now famous lectern at 10 Downing Street, flanked by his ubiquitous chief medical officer Professor Chris Whitty, a wan-faced, shaken-looking Johnson began:
“I am sorry to report that the situation has deteriorated since I last spoke to you three days ago.
Yesterday afternoon, I was briefed on the latest data showing the virus spreading more rapidly in London, the South East and the East of England than would be expected given the tough restrictions which are already in place.
I also received an explanation for why the virus is spreading more rapidly in these areas. It appears this spread is now being driven by the new variant of the virus, which we first learned about earlier this week.
Our advisory group on New and Emerging Respiratory Virus Threats – NERVTAG – has spent the last few days analysing the new variant.
There is no evidence the variant causes more severe illness or higher mortality, but it does appear to be passed on significantly more easily.
NERVTAG’s early analysis suggests the new variant could increase R by 0.4 or greater. Although there is considerable uncertainty, it may be up to 70% more transmissible than the old variant.
…I am afraid, look again at Christmas.
As Prime Minister, it is my duty to take the difficult decisions, to do what is right to protect the people of this country.
Given the early evidence we have on this new variant of the virus, and the potential risk it poses, it is with a heavy heart that I must tell you we cannot continue with Christmas as planned.”
(https://www.gov.uk/government/speeches/prime-ministers-statement-on-coronavirus-covid-19-19-december-2020)
But was Johnson once again being fast –and-loose with the truth on when and what the Government knew about the mutant virus? The evidence - from an academic paper, which must have been drawn to the attention of ministers – is yes.
“Preliminary genomic characterisation of an emergent SARS-CoV-2 lineage in the UK defined by a novel set of spike mutations,” (written by: Andrew Rambaut1, Nick Loman2, Oliver Pybus3, Wendy Barclay4, Jeff Barrett5, Alesandro Carabelli6, Tom Connor7, Tom Peacock4, David L Robertson8, Erik Volz4, on behalf of COVID-19 Genomics Consortium UK (CoG-UK,9https://virological.org/t/preliminary-genomic-characterisation-of-an-emergent-sars-cov-2-lineage-in-the-uk-defined-by-a-novel-set-of-spike-mutations/563), it reported
“Recently a distinct phylogenetic cluster (named lineage B.1.1.7) was detected within the COG-UK surveillance dataset. This cluster has been growing rapidly over the past 4 weeks and since been observed in other UK locations, indicating further spread…….
The two earliest sampled genomes that belong to the B.1.1.7 lineage were collected on 20-Sept-2020 in Kent and another on 21-Sept-2020 from Greater London. B.1.1.7 infections have continued to be detected in the UK through early December 2020. Genomes belonging to lineage B.1.1.7 form a monophyletic clade that is well supported by a large number of lineage-defining mutations (Figure 1). As of 15th December, there are 1623 genomes in the B.1.1.7 lineage. Of these 519 were sampled in Greater London, 555 in Kent, 545 in other regions of the UK including both Scotland and Wales, and 4 in other countries.”
So, Johnson says the Cabinet was informed on Friday of the implications of the viral mutation; Hancock said the previous Monday, four days earlier, that he had only just heard of the mutation.
This paper suggests they are both dissembling. The outstanding question is why did they stay silent, and not change policy much earlier, when the facts had changed?
Saturday, 19 December 2020
Laying waste to Cumbria with national nuclear sacrifice area
Letter sent to the Guardian newspaper:
Setting aside the hazard potential from a combination of floating vessels and nuclear power highlighted by Greenpeace, your energy editor’s revealing article on proposals for fleets of seaborne mini-nukes off shore (“Floating 'mini-nukes' could power countries by 2025, says startup, December 18) does not mention one key risk posed by all nuclear power production options: they generate radioactive waste alongside electricity.
Earlier this month, the body responsible in the UK for finding a solution to the long term stewardship and /or burial of the UK’s legacy nuclear waste - Radioactive Waste Management Ltd (RWML) - quietly issued short report on potential plans to bury nuclear waste underground in south Cumbria, near Millom. (https://copeland.workinginpartnership.org.uk/wp-content/uploads/2020/10/Ghyll-Scaur-Quarry-IER-Report.pdf), following e several voluntary offers by local landowners.
Intriguingly, RWML reveal that one option described for a so called geological disposal facility (GDF) in the report,“Ghyll Scaur Quarry and associated coastal plain together with the adjacent inshore area: initial evaluation,” would be to construct an entry facility around two miles from the southwestern boundary of the Lake District national park and
admits there would be “an opportunity for the sub-surface facilities to be located deep beneath the seabed in the inshore area.
I feel sure this would greatly interest the Irish Government, who have long opposed the leaky activities of Sellafield, just a short distance northwards up the Cumbrian coast.
The report concludes: “Following the completion of initial evaluation work RWM has concluded that there may be potential to host a GDF in all of the areas referred to above, as identified by the Interested Parties.
But unpromisingly, the report states at Paragraph 6.15: “At this point discussions may remain confidential…though they should be made public at the earliest opportunity if the interested party and RWM decide to move forward.”
I tis surely in the wider public interest that all stakeholders in the region, and more widely (as it has national significance), have their say at an early juncture, and such an important public project does not have its details kept private in a secret shroud.
Friday, 18 December 2020
US atomic citadels hacked-off
Just when you thought 2020 could not possibly get any worse, comes the extraordinary - and alarming- news that foreign hackers have infiltrated the top level security institutions in the US, including Los Alamos national nuclear laboratory ( where nuclear warheads are designed and built), Sandia national nuclear laboratory, the Richland field office at Hanford, where huge stocks of nuclear explosive plutonium are stored, the National Nuclear Security Administration (sic) and the NNSA’s Office for Secure Transportation, that ships nuclear warheads around the country!
And the hack has been going on unreported for 8 months!
"The biggest cybersecurity breach of federal networks in more than two decades." -That's how the New York Times describes a massive cyber breach into U.S. public and private networks.
It now appears to have been made possible by more than just a vulnerable update server from the Texas-based network management firm, SolarWinds. That new twist comes from a critical update Thursday from the Homeland Security Department's Cybersecurity and Infrastructure Security Agency that warned "this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations."
Most worrisome: "CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform," CISA announced Thursday, with "Orion" referring to the problematic update server. "It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered." Or, as David Sanger of the Times writes, "That suggests other software, also used by the government, has been infected and used for access by foreign spies." Which means this could all get much messier and much more damaging.
Newly added to the list of known victims: The Energy Department, and the National Nuclear Security Administration, including "networks belonging to the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE," Politico reported Thursday.
Here is how specialist newsletter, DefenseOne News, reported the revelations overnight, written by Aaron Boyd.
“SolarWinds Isn't the Only Way Hackers Entered Networks, Cybersecurity and Infrastructure Security Agency (CISA) Says. The agency warned that ejecting attackers from networks will be tough, especially because they can likely read the email of IT and cybersecurity employees
https://www.defenseone.com/threats/2020/12/the-d-brief-december-17-2020/170850/
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
• CYBER PENTAGON INDUSTRY The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” officials wrote.
While the alert does not name suspects, officials offered a look into what is known about the attackers’ techniques and motivations.
“The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments,” the alert states. “CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.”
Between the potential depth of the intrusions, additional yet unknown attack vectors and the focus on IT and security personnel’s email, CISA officials warned organizations to maintain extra security around remediation discussions.
“Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures,” the alert states. “An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.”
The alert cites four versions of the SolarWinds Orion software that were found to be compromised. Those vectors have since been stitched shut, denying any new breaches but not remediating any deeper intrusions.
“Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease,” the alert states. “In the case of infections where the attacker has already moved [command and control] past the initial beacon, infection will likely continue notwithstanding this action.”
That last bit is the big worry for federal IT and security managers, as the SolarWinds Orion product was designed to access broad swaths of the network it is installed on. The alert notes the perpetrators were able to leverage their initial access to get more privileged access across agency networks, burrowing in deep before covering their trails.
“Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust [Security Assertion Markup Language] tokens from the environment,” the alert states. “These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces.”
The depth with which the attackers might have penetrated networks, combined with sophisticated masking—or “anti-forensic techniques”—means detection and remediations work will continue for some time.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” officials said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
However, officials have also discovered additional attack vectors beyond Orion products.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said. “CISA will update this alert as new information becomes available.”
The alert offers some details on one other potentially related attacks discovered by security researchers at Volexity.
After FireEye published its findings on Dec. 13—the first public acknowledgement of the SolarWinds breaches—Volexity researchers were able to tie that intrusion to ongoing campaigns they had been tracking for years dubbed Dark Halo. Those attacks, using similar tactics, targeted U.S. think tanks as far back as 2019.
“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time,” researchers wrote in a Dec. 14 blog post. “Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication to access the mailbox of a user via the organization’s Outlook Web App service.”
In a statement, a Duo Security spokesperson clarified the “described incidents were not due to any vulnerability in Duo’s products.”
The attackers were able to get past the multifactor authentication security measures after compromising another service, “such as an email server,” they said.
It wasn’t until Dark Halo’s third attempt to access the think tank’s networks in June and July that researchers saw the SolarWinds Orion exploit.
“This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known,” CISA wrote in Thursday’s alert.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” CISA officials wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
The latest release also does not give any information on who the government believes is behind the attack. While several news outlets have cited anonymous government sources pointing to Russian government group Cozy Bear, also known as APT29, the alert offers no attribution, only a summation of the quality of the attackers’ work.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the alert states, noting that, “removing the threat actor from compromised environments will be highly complex and challenging.”
The alert also offers a comprehensive list of known infected SolarWinds Orion products and identified indicators of compromise.
This story is developing and will be updated. It has been updated to include comments from Duo Security and correct a grammatical error.
Alert (AA20-352A)
Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations
Original release date: December 17, 2020
Summary
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) version 8 framework. See the ATT&CK for Enterprise version 8 for all referenced threat actor tactics and techniques.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020. This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.
One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products (see Appendix A).
• Orion Platform 2019.4 HF5, version 2019.4.5200.9083
• Orion Platform 2020.2 RC1, version 2020.2.100.12219
• Orion Platform 2020.2 RC2, version 2020.2.5200.12394
• Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Note: CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.
On December 13, 2020, CISA released Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, ordering federal civilian executive branch departments and agencies to disconnect affected devices. Note: this Activity Alert does not supersede the requirements of Emergency Directive 21-01 (ED-21-01) and does not represent formal guidance to federal agencies under ED 21-01.
CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations. CISA advises stakeholders to read this Alert and review the enclosed indicators (see Appendix B).
Key Takeaways
• This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
• The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
• Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
• Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
Click here for a PDF version of this report.
Technical Details
Overview
CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available.
Initial Infection Vectors [TA0001]
CISA is investigating incidents that exhibit adversary TTPs consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA).[1] Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.
SolarWinds Orion Supply Chain Compromise
SolarWinds Orion is an enterprise network management software suite that includes performance and application monitoring and network configuration management along with several different types of analyzing tools. SolarWinds Orion is used to monitor and manage on-premise and hosted infrastructures. To provide SolarWinds Orion with the necessary visibility into this diverse set of technologies, it is common for network administrators to configure SolarWinds Orion with pervasive privileges, making it a valuable target for adversary activity.
The threat actor has been observed leveraging a software supply chain compromise of SolarWinds Orion products[2] (see Appendix A). The adversary added a malicious version of the binary solarwinds.orion.core.businesslayer.dll into the SolarWinds software lifecycle, which was then signed by the legitimate SolarWinds code signing certificate. This binary, once installed, calls out to a victim-specific avsvmcloud[.]com domain using a protocol designed to mimic legitimate SolarWinds protocol traffic. After the initial check-in, the adversary can use the Domain Name System (DNS) response to selectively send back new domains or IP addresses for interactive command and control (C2) traffic. Consequently, entities that observe traffic from their SolarWinds Orion devices to avsvmcloud[.]com should not immediately conclude that the adversary leveraged the SolarWinds Orion backdoor. Instead, additional investigation is needed into whether the SolarWinds Orion device engaged in further unexplained communications. If additional Canonical Name record (CNAME) resolutions associated with the avsvmcloud[.]com domain are observed, possible additional adversary action leveraging the back door has occurred.
Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease. In the case of infections where the attacker has already moved C2 past the initial beacon, infection will likely continue notwithstanding this action.
SolarWinds Orion typically leverages a significant number of highly privileged accounts and access to perform normal business functions. Successful compromise of one of these systems can therefore enable further action and privileges in any environment where these accounts are trusted.
Anti-Forensic Techniques
The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.
FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications.[3] This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.
According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.
While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.
Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.
Privilege Escalation and Persistence [TA0004, TA0003]
The adversary has been observed using multiple persistence mechanisms across a variety of intrusions. CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources. Microsoft has released a query that can help detect this activity.[4]
Microsoft reported that the actor has added new federation trusts to existing infrastructure, a technique that CISA believes was utilized by a threat actor in an incident to which CISA has responded. Where this technique is used, it is possible that authentication can occur outside of an organization’s known infrastructure and may not be visible to the legitimate system owner. Microsoft has released a query to help identify this activity.[5]
User Impersonation
The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments. One of the principal ways the adversary is accomplishing this objective is by compromising the Security Assertion Markup Language (SAML) signing certificate using their escalated Active Directory privileges. Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust SAML tokens from the environment. These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces (APIs).
CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.
These are some key functions and systems that commonly use SAML.
• Hosted email services
• Hosted business intelligence applications
• Travel systems
• Timecard systems
• File storage services (such as SharePoint)
Detection: Impossible Logins
The adversary is using a complex network of IP addresses to obscure their activity, which can result in a detection opportunity referred to as “impossible travel.” Impossible travel occurs when a user logs in from multiple IP addresses that are a significant geographic distance apart (i.e., a person could not realistically travel between the geographic locations of the two IP addresses during the time period between the logins). Note: implementing this detection opportunity can result in false positives if legitimate users apply virtual private network (VPN) solutions before connecting into networks.
Detection: Impossible Tokens
The following conditions may indicate adversary activity.
• Most organizations have SAML tokens with 1-hour validity periods. Long SAML token validity durations, such as 24 hours, could be unusual.
• The SAML token contains different timestamps, including the time it was issued and the last time it was used. A token having the same timestamp for when it was issued and when it was used is not indicative of normal user behavior as users tend to use the token within a few seconds but not at the exact same time of issuance.
• A token that does not have an associated login with its user account within an hour of the token being generated also warrants investigation.
Operational Security
Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures. An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.
Operational security plans should include:
• Out-of-band communications guidance for staff and leadership;
• An outline of what “normal business” is acceptable to be conducted on the suspect network;
• A call tree for critical contacts and decision making; and
• Considerations for external communications to stakeholders and media.
MITRE ATT&CK® Techniques
CISA assesses that the threat actor engaged in the activities described in this Alert uses the below-listed ATT&CK techniques.
• Query Registry [T1012]
• Obfuscated Files or Information [T1027]
• Obfuscated Files or Information: Steganography [T1027.003]
• Process Discovery [T1057]
• Indicator Removal on Host: File Deletion [T1070.004]
• Application Layer Protocol: Web Protocols [T1071.001]
• Application Layer Protocol: DNS [T1071.004]
• File and Directory Discovery [T1083]
• Ingress Tool Transfer [T1105]
• Data Encoding: Standard Encoding [T1132.001]
• Supply Chain Compromise: Compromise Software Dependencies and Development Tools [T1195.001]
• Supply Chain Compromise: Compromise Software Supply Chain [T1195.002]
• Software Discovery [T1518]
• Software Discovery: Security Software [T1518.001]
• Create or Modify System Process: Windows Service [T1543.003]
• Subvert Trust Controls: Code Signing [T1553.002]
• Dynamic Resolution: Domain Generation Algorithms [T1568.002]
• System Services: Service Execution [T1569.002]
• Compromise Infrastructure [T1584]
Mitigations
SolarWinds Orion Owners
Owners of vulnerable SolarWinds Orion products will generally fall into one of three categories.
• Category 1 includes those who do not have the identified malicious binary. These owners can patch their systems and resume use as determined by and consistent with their internal risk evaluations.
• Category 2 includes those who have identified the presence of the malicious binary—with or without beaconing to avsvmcloud[.]com. Owners with malicious binary whose vulnerable appliances only unexplained external communications are with avsvmcloud[.]com—a fact that can be verified by comprehensive network monitoring for the device—can harden the device, re-install the updated software from a verified software supply chain, and resume use as determined by and consistent with a thorough risk evaluation.
• Category 3 includes those with the binary beaconing to avsvmcloud[.]com and secondary C2 activity to a separate domain or IP address. If you observed communications with avsvmcloud[.]com that appear to suddenly cease prior to December 14, 2020— not due to an action taken by your network defenders—you fall into this category. Assume the environment has been compromised, and initiate incident response procedures immediately.
Compromise Mitigations
If the adversary has compromised administrative level credentials in an environment—or if organizations identify SAML abuse in the environment, simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network. In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action.
SolarWinds Orion Specific Mitigations
The following mitigations apply to networks using the SolarWinds Orion product. This includes any information system that is used by an entity or operated on its behalf.
Organizations that have the expertise to take the actions in Step 1 immediately should do so before proceeding to Step 2. Organizations without this capability should proceed to Step 2. Federal civilian executive branch agencies should ignore the below and refer instead to Emergency Directive 21-01 (and forthcoming associated guidance) for mitigation steps.
• Step 1
o Forensically image system memory and/or host operating systems hosting all instances of affected versions of SolarWinds Orion. Analyze for new user or service accounts, privileged or otherwise.
o Analyze stored network traffic for indications of compromise, including new external DNS domains to which a small number of agency hosts (e.g., SolarWinds systems) have had connections.
• Step 2
o Affected organizations should immediately disconnect or power down affected all instances of affected versions of SolarWinds Orion from their network.
o Additionally:
Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.
Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.
• Step 3
o Only after all known threat actor-controlled accounts and persistence mechanisms have been removed:
Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that the threat actor has deployed further persistence mechanisms.
Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
Take actions to remediate kerberoasting, including—as necessary or appropriate—engaging with a third party with experience eradicating APTs from enterprise networks. For Windows environments, refer to the following Microsoft’s documentation on kerberoasting: https://techcommunity.microsoft.com/t5/microsoft-security-and/detecting-ldap-based-kerberoasting-with-azure-atp/ba-p/462448.
Require use of multi-factor authentication. If not possible, use long and complex passwords (greater than 25 characters) for service principal accounts, and implement a good rotation policy for these passwords.
Replace the user account by group Managed Service Account (gMSA), and implement Group Managed Service Accounts: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview.
Set account options for service accounts to support AES256_CTS_HMAC_SHA1_96 and not support DES, RC4, or AES128 bit encryption.
Define the Security Policy setting for Network Security: Configure Encryption types allowed for Kerberos. Set the allowable encryption types to AES256_HMAC_SHA1 and Future encryption types: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.
See Microsoft’s documentation on how to reset the Kerberos Ticket Granting Ticket password twice: https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/manage/ad-forest-recovery-resetting-the-krbtgt-password.
See Joint Alert on Technical Approaches to Uncovering and Remediating Malicious Activity for more information on incident investigation and mitigation steps based on best practices.
CISA will update this Alert, as information becomes available and will continue to provide technical assistance, upon request, to affected entities as they work to identify and mitigate potential compromises.
Contact Information
CISA encourages recipients of this report to contribute any additional information that they may have related to this threat. For any questions related to this report, please contact CISA at
• 1-888-282-0870 (From outside the United States: +1-703-235-8832)
• central@cisa.dhs.gov (UNCLASS)
• us-cert@dhs.sgov.gov (SIPRNET)
• us-cert@dhs.ic.gov (JWICS)
CISA encourages you to report any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on the CISA/US-CERT homepage at http://www.us-cert.cisa.gov/.
Appendix A: Affected SolarWinds Orion Products
Table 1 identifies recent versions of SolarWinds Orion Platforms and indicates whether they have been identified as having the Sunburst backdoor present.
Table 1: Affected SolarWinds Orion Products
Orion Platform Version Sunburst Backdoor Code Present File Version SHA-256
2019.4 Tampered but not backdoored 2019.4.5200.8890 a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc
2019.4 HF1 No 2019.4.5200.8950 9bee4af53a8cdd7ecabe5d0c77b6011abe887ac516a5a22ad51a058830403690
2019.4 HF2 No 2019.4.5200.8996
bb86f66d11592e3312cd03423b754f7337aeebba9204f54b745ed3821de6252d
2019.4 HF3 No 2019.4.5200.9001 ae6694fd12679891d95b427444466f186bcdcc79bc0627b590e0cb40de1928ad
2019.4 HF4 No 2019.4.5200.9045 9d6285db647e7eeabdb85b409fad61467de1655098fec2e25aeb7770299e9fee
2020.2 RC1 Yes 2020.2.100.12219
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b
2019.4 HF5 Yes 2019.4.5200.9083 32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77
2020.2 RC2 Yes 2020.2.5200.12394
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134
2020.2
2020.2 HF1 Yes 2020.2.5300.12432
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6
2019.4 HF6 No 2019.4.5200.9106 8dfe613b00d495fb8905bdf6e1317d3e3ac1f63a626032fa2bdad4750887ee8a
2020.2.1
2020.2.1 HF1
No 2020.2.15300.12766
143632672dcb6ef324343739636b984f5c52ece0e078cfee7c6cac4a3545403a
2020.2.1 HF2 No 2020.2.15300.12901 cc870c07eeb672ab33b6c2be51b173ad5564af5d98bfc02da02367a9e349a76f
Appendix B: Indicators of Compromise
Due to the operational security posture of the adversary, most observable IOCs are of limited utility; however, they can be useful for quick triage. Below is a compilation of IOCs from a variety of public sources provided for convenience. CISA will be updating this list with CISA developed IOCs as our investigations evolve.
Table 2: Indicators of Compromise
IOC Type Notes References Source
32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77 hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
a25cadd48d70f6ea0c4a241d99c5241269e6faccb4054e62d16784640f8e53bc hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/
d3c6785e18fba3749fb785bc313cf8346182f532c59172b69adfb31b96a5d0af hash Backdoor.Sunburst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/
13.59.205[.]66 IPv4 DEFTSECURITY[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
deftsecurity[.]com domain Domain malicious on VT, registered with Amazon, hosted on US IP address 13.59.205.66, malware repository, spyware and malware https://www.virustotal.com/gui/domain/deftsecurity.com/details
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
54.193.127[.]66 IPv4 FREESCANONLINE[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77 hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed hash No info available https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
65.153.203[.]68 IPv4 Not seen as malicious on VT, Registered in USCenturyLink Communications, LLC https://www.hybrid-analysis.com/sample/12e76c16bbf64e83b79d8dac921c9cccabbe40d28ad480c636f94a5737b77c9a?environmentId=100
avsvmcloud[.]com domain Reported by FireEye/ The malicious DLL calls out to a remote network infrastructure using the domains avsvmcloud.com. to prepare possible second-stage payloads, move laterally in the organization, and compromise or exfiltrate data. Malicious on VT. Hosted on IP address 20.140.0.1, which is registered with Microsoft. malware callhome, command and control https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
FireEye Report Talos
Volexity
3.87.182[.]149 IPv4 Resolves to KUBECLOUD[.]com, IP registered to Amazon. Tracked by Insikt/RF as tied to SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
3.16.81[.]254 IPv4 Resolves to SEOBUNDLEKIT[.]com, registered to Amazon. Tracked by Insikt/RF as tied SUNBURST intrusion activity. https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
12.227.230[.]4 IPv4 Seen as malicious on VT, Registered in US, AT&T Services, Inc https://www.hybrid-analysis.com/sample/8d34b366f4561ca1389ce2403f918e952584a56ea55876311cfb5d2aad875439
54.215.192[.]52 IPv4 THEDOCCLOUD[.]com https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134 hash Trojan.MSIL.SunBurst ttps://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/
ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6 hash Trojan.MSIL.SunBurst https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber- attacks/
8.18.144[.]11 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]12 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]9 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]20 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]40 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]44 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]62 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]130 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]135 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]136 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]149 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]156 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]158 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]165 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]170 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]180 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.144[.]188 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]21 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]33 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]36 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]131 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]134 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]136 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]139 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]150 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]157 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
8.18.145[.]181 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
13.27.184[.]217 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
18.217.225[.]111 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
18.220.219[.]143 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
20.141.48[.]154 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
34.219.234[.]134 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.1[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.21[.]54 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.48[.]22 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.101[.]22 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.113[.]55 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.145[.]34 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.209[.]33 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.212[.]52 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.224[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.229[.]1 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.240[.]3 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
184.72.245[.]1 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
196.203.11[.]89 IPv4 https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
digitalcollege[.]org domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
freescanonline[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
globalnetworkissues[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
kubecloud[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
lcomputers[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
seobundlekit[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
solartrackingsystem[.]net domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
thedoccloud[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
virtualwebdata[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
webcodez[.]com domain https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
Volexity
d0d626deb3f9484e649294a8dfa814c5568f846d5aa02d4cdad5d041a29d5600 hash https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public
c15abaf51e78ca56c0376522d699c978217bf041a3bd3c71d09193efa5717c71 hash https://blog.malwarebytes.com/threat-analysis/2020/12/advanced-cyber-attack-hits-private-and-public
References
[1] Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations
[2] SolarWinds Security Advisory
[3] FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compr…
[4] GitHub: Azure / Azure-Sentinel - AzureAADPowerShellAnomaly.yaml
[5] GitHub: Azure / Azure-Sentinel - ADFSDomainTrustMods.yaml
Revisions
Initial Version: December 17, 2020
This product is provided subject to this Notification and this Privacy & Use policy.
More Hacking Attacks Found as Officials Warn of ‘Grave Risk’ to U.S. Government
Minutes after the government statement, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible. President Trump has been silent on the hacking.
New York Times, 18 December 2020
• https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html
•
The Commerce, Treasury and Defense Departments, as well as other federal agencies, were the targets of Russian hackers.Credit...Jim Lo Scalzo/EPA, via Shutterstock
By David E. Sanger and Nicole Perlroth
• Published Dec. 17, 2020Updated Dec. 18, 2020, 8:28 a.m. ET
WASHINGTON — Federal officials issued an urgent warning on Thursday that hackers who American intelligence agencies believed were working for the Kremlin used a far wider variety of tools than previously known to penetrate government systems, and said that the cyberoffensive was “a grave risk to the federal government.”
The discovery suggests that the scope of the hacking, which appears to extend beyond nuclear laboratories and Pentagon, Treasury and Commerce Department systems, complicates the challenge for federal investigators as they try to assess the damage and understand what had been stolen.
Minutes after the statement from the cybersecurity arm of the Department of Homeland Security, President-elect Joseph R. Biden Jr. warned that his administration would impose “substantial costs” on those responsible.
“A good defense isn’t enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Mr. Biden said, adding, “I will not stand idly by in the face of cyberassaults on our nation.”
President Trump has yet to say anything about the attack.
Echoing the government’s warning, Microsoft said Thursday that it had identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.
“It’s still early days, but we have already identified 40 victims — more than anyone else has stated so far — and believe that number should rise substantially,” Brad Smith, Microsoft’s president, said in an interview on Thursday. “There are more nongovernmental victims than there are governmental victims, with a big focus on I.T. companies, especially in the security industry.”
The Energy Department and its National Nuclear Security Administration, which maintains the American nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.
“At this point, the investigation has found that the malware has been isolated to business networks only,” Ms. Hynes said. The hack of the nuclear agency was reported earlier by Politico.
Officials have yet to publicly name the attacker responsible, but intelligence agencies have told Congress that they believe it was carried out by the S.V.R., an elite Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority — 80 percent — are in the United States, while Russia shows no infections at all.
The government warning, issued by the Cybersecurity and Infrastructure Security Agency, did not detail the new ways that the hackers got into the government systems. But it confirmed suspicions expressed this week by FireEye, a cybersecurity firm, that there were almost certainly other routes that the attackers had found to get into networks on which the day-to-day business of the United States depend.
FireEye was the first to inform the government that the suspected Russian hackers had, since at least March, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.
Investigators and other officials say they believe the goal of the Russian attack was traditional espionage, the sort the National Security Agency and other agencies regularly conduct on foreign networks. But the extent and depth of the hacking raise concerns that hackers could ultimately use their access to shutter American systems, corrupt or destroy data, or take command of computer systems that run industrial processes. So far, though, there has been no evidence of that happening.
The alert was a clear sign of a new realization of urgency by the government. After playing down the episode — in addition to Mr. Trump’s silence, Secretary of State Mike Pompeo has deflected the hacking as one of the many daily attacks on the federal government, suggesting China was the biggest offender — the government’s new alert left no doubt the assessment had changed.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” the alert said.
“It is likely that the adversary has additional initial access vectors and tactics, techniques and procedures,” which, it said, “have not yet been discovered.”
Investigators say it could take months to unravel the extent to which American networks and the technology supply chain are compromised.
In an interview on Thursday, Mr. Smith, of Microsoft, said the supply-chain element made the attack perhaps the gravest cyberattack against the United States in years.
“Governments have long spied on each other but there is a growing and critical recognition that there needs to be a clear set of rules that put certain techniques off limits,” Mr. Smith said. “One of the things that needs to be off limits is a broad supply chain attack that creates a vulnerability for the world that other forms of traditional espionage do not.”
Reuters reported Thursday that Microsoft was itself compromised in the attack, a claim that Mr. Smith emphatically denied Thursday. “We have no indication of that,” he said.
Officials say that with only one month left in its tenure, the Trump administration is planning to simply hand off what appears to be the biggest cybersecurity breach of federal networks in more than two decades.
Mr. Biden’s statement said he had instructed his transition team to learn as much as possible about “what appears to be a massive cybersecurity breach affecting potentially thousands of victims.”
“I want to be clear: My administration will make cybersecurity a top priority at every level of government — and we will make dealing with this breach a top priority from the moment we take office,” Mr. Biden said, adding that he plans to impose “substantial costs on those responsible.”
The Cybersecurity and Infrastructure Security Agency’s warning came days after Microsoft took emergency action along with FireEye to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called kill switch.
That shut off further penetration. But it is of no help to organizations that have already been penetrated by an attacker who has been planting back doors in their systems since March. And the key line in the warning said that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.
Across federal agencies, the private sector and the utility companies that oversee the power grid, forensic investigators were still trying to unravel the extent of the compromise. But security teams say the relief some felt that they did not use the compromised systems turned to panic on Thursday, as they learned other third-party applications may have been compromised.
Inside federal agencies and the private sector, investigators say they have been stymied by classifications and siloed approach to information sharing.
“We have forgotten the lessons of 9/11,” Mr. Smith said. “It has not been a great week for information sharing and it turns companies like Microsoft into a sheep dog trying to get these federal agencies to come together into a single place and share what they know.”
David E. Sanger reported from Washington, and Nicole Perlroth from Palo Alto, Calif.
Subscribe to:
Posts (Atom)