The hacking of SolarWinds was the work of ‘at least 1,000 engineers’, say Senate technology executives Technology

Sign up for the US Guardian Today newsletter

Technical executives found that the historical cyber security breach that affected about 100 U.S. companies and nine federal agencies was larger and more sophisticated than previously known.

The revelations came during a hearing of a select U.S. Senate Intelligence Committee on Tuesday about last year’s hacking of SolarWinds, a Texas-based software company. Using SolarWinds and Microsoft, hackers believed to work for Russia have managed to infiltrate companies and government agencies. Amazon-run servers were also used in the cyber attack, but the company did not want to send representatives for questioning.

Representatives of vulnerable firms, including SolarWinds, Microsoft and cybersecurity companies FireEye Inc. and CrowdStrike Holdings, told senators that the actual extent of the intrusion is still unknown, as most victims are not legally required to detect attacks unless they include sensitive information about the individual. But they described an operation of astonishing size.

Brad Smith, president of Microsoft, said his researchers believe “at least 1,000 very skilled and very capable engineers” worked to hack SolarWinds. “This is the largest and most sophisticated type of surgery we’ve seen,” Smith told senators.

Smith said the success of the hacking operation is a result of his ability to penetrate systems through routine processes. SolarWinds functions as network monitoring software, working deep into the IT system infrastructure to identify and patch issues, and provides a core service to companies around the world. “The world relies on patches and software updates for everyone,” Smith said. “Interfering with or mixing this type of software actually means mixing the digital equivalent of our public health service. This puts the whole world at greater risk. ”

“It’s a bit like a burglar who wants to break into one apartment but manages to turn off the alarm system for every house and every building in the whole city,” he added. “Everyone’s safety is at stake. That is what we are struggling with here. ”

Smith said many of the techniques used by the hackers did not come to light and that the attacker could have used up to a dozen different means to enter the victims ’networks over the past year.

Microsoft revealed last week that hackers were able to read the company’s source code to help its programs verify users ’identities. For many victims, hackers have manipulated these programs to access new areas within their targets.

Smith stressed that such a move was not due to software bugs on the part of Microsoft, but due to poor configurations and other controls by the customer, including cases of “when the keys to the safe and car were left out.”

George Kurtz, CEO of CrowdStrike, explained that in the case of his company, hackers used an independent Microsoft software vendor who had access to CrowdStrike systems and tried but failed to get into the company’s email. Kurtz shifted the blame to Microsoft for its complex architecture, which he called “outdated.”

“The threat factor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move sideways within the network” and reach the cloud environment, bypassing multi-factor authentication, Kurtz said.

Where Smith sought government assistance in providing corrective guidance to cloud users, Kurtz said Microsoft should look for its own home and address issues with the widely used Active Directory and Azure.

Ben Sasse is questioning witnesses during a Senate intelligence committee hearing on Capitol Hill. Photo: Reuters

“If Microsoft addresses the limitations of the Authentication architecture around Active Directory and Azure Active Directory or completely shifts to a different methodology, a significant threat vector would be completely eliminated from one of the world’s most widespread authentication platforms,” ​​Kurtz said.

Executives advocated greater transparency and exchange of information on violations, with liability protection and a system that does not penalize those who report, similar to plane crash investigations.

“It is imperative for a nation to encourage, and sometimes even demand, a better exchange of information about cyber attacks,” Smith said.

Lawmakers have talked to executives about how threat information can be more easily and confidentially shared among competitors and lawmakers to prevent such big hackers in the future. They also discussed the types of consequences of nation-sponsored hacking. The Biden administration is rumored to be considering sanctions against Russia for hacking, according to a Washington Post report.

“This could have been exponentially worse and we need to recognize the seriousness of it,” said Sen. Mark Warner of Virginia. “We cannot inflict security fatalism. We must at least increase the costs for our opponents. “

Lawmakers insulted Amazon for failing to appear at the hearing, threatening to force the company to testify at subsequent councils.

“I think [Amazon has] an obligation to cooperate with this investigation and I hope they will do so voluntarily, ”said Sen. Susan Collins, a Republican. “If they don’t, I think we should consider the next steps.”

Reuters contributed to this report.