Tech firms say Russia likely behind hack
WASHINGTON — Leading technology companies said Tuesday that a months-long breach of corporate and government networks was so sophisticated, focused and labor-intensive that a nation had to be behind it, with all the evidence pointing to Russia.
In the first congressional hearing on the breach, representatives of technology companies involved in the response described a hack of almost breathtaking precision, ambition and scope. The perpetrators stealthily scooped up specific emails and documents on a target list from the U.S. and other countries.
“We haven’t seen this kind of sophistication matched with this kind of scale,” Microsoft President Brad Smith told the Senate Intelligence Committee.
Forensic investigators have estimated that at least 1,000 highly skilled engineers would have been required to develop the code that hijacked widely used network software from Texas-based Solarwinds to deploy malware around the world through a security update.
“We’ve seen substantial evidence that points to the Russian foreign intelligence agency, and we have found no evidence that leads us anywhere else,” Smith said.
U.S. national security officials have also said Russia was likely responsible for the breach, and President Joe Biden’s administration is weighing punitive measures against Russia for the hack as well as other activities. Moscow has denied responsibility for the breach.
Officials have said the motive for the hack, which was discovered by private security company Fireeye in December, appeared to be to gather intelligence. On what, they haven’t said.
At least nine government agencies and 100 private companies were breached, but what was taken has not been revealed.
White House press secretary Jen Psaki said Tuesday it would be “weeks not months” before the U.S. responds to Russia.
“We have asked the intelligence community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is,” Psaki said. “And we’re still in the process of working that through now.”
The hackers first quietly installed malicious code in October 2019 on targeted networks but didn’t activate it to see if they could remain undetected. They returned in March and immediately began to steal the log-in credentials of people who were authorized to be on the network so they could have a “secret key” to move around at will, Fireeye CEO Kevin Mandia said.
Once detected “they vanished like ghosts,” he said.
The panel, which also included Sudhakar Ramakrishna, the CEO of Solarwinds who took over the company after the hack occurred, and George Kurtz, the president and CEO of Crowdstrike, another leading security company, faced questions not just about how the breach occurred but also whether hacking victims need to be legally compelled to be forthcoming when they have been breached. Even now, three months after the breach was disclosed, the identity of most victims remains unknown.