SolarWinds hack was work of 'at least 1,000 engineers', tech executives tell Senate
Tech executives revealed that a historic cybersecurity breach that affected about 100 US companies and nine federal agencies was larger and more sophisticated than previously known.
The revelations came during a hearing of the US Senate’s select committee on intelligence on Tuesday on last year’s hack of SolarWinds, a Texasbased software company. Using SolarWinds and Microsoft programs, hackers believed to be working for Russia were able to infiltrate the companies and government agencies. Servers run by Amazon were also used in the cyberattack, but that company declined to send representatives to the hearing.
Representatives from the impacted firms, including SolarWinds, Microsoft, and the cybersecurity firms FireEye Inc and CrowdStrike Holdings, told senators that the true scope of the intrusions is still unknown, because most victims are not legally required to disclose attacks unless they involve sensitive information about individuals. But they described an operation of stunning size.
Brad Smith, the Microsoft president, said its researchers believed “at least 1,000 very skilled, very capable engineers” worked on the SolarWinds hack. “This is the largest and most sophisticated sort of operation that we have seen,” Smith told senators.
Smith said the hacking operation’s success was due to its ability to penetrate systems through routine processes. SolarWinds functions as a network monitoring software, working deep in the infrastructure of information technology systems to identify and patch problems, and provides an essential service for companies around the world.
“The world relies on the patching and updating of software for everything,” Smith said. “To disrupt or tamper with that kind of software is to in effect tamper with the digital equivalent of our public health service. It puts the entire world at greater risk.”
“It’s a little bit like a burglar who wants to break into a single apartment but manages to turn off the alarm system for every home and every building in the entire city,” he added. “Everybody’s safety is put at risk. That is what we’re grappling with here.”
Smith said many techniques used by the hackers have not come to light and that the attacker might have used up to a dozen different means of getting into victim networks during the past year.
Microsoft disclosed last week that the hackers had been able to read the company’s closely guarded source code for how its programs authenticate users. At many of the victims, the hackers manipulated those programs to access new areas inside their targets.
Smith stressed that such movement was not due to programming errors on Microsoft’s part but on poor configurations and other controls on the customer’s part, including cases “where the keys to the safe and the car were left out in the open”.
George Kurtz, the CrowdStrike chief executive, explained that in the case of his company, hackers used a third-party vendor of Microsoft software, which had access to CrowdStrike systems, and tried but failed to get into the company’s email. Kurtz turned the blame on Microsoft for its complicated architecture, which he called “antiquated”.
“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network” and reach the cloud environment while bypassing multifactor authentication, Kurtz said.
Where Smith appealed for government help in providing remedial instruction for cloud users, Kurtz said Microsoft should look to its own house and fix problems with its widely used Active Directory and Azure.
“Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world*s most widely used authentication platforms,” Kurtz said.
The executives argued for greater transparency and information-sharing about breaches, with liability protections and a system that does not punish those who come forward, similar to airline disaster investigations.
“It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyber-attacks,” Smith said.
Lawmakers spoke with the executives about how threat intelligence can be more easily and confidentially shared among competitors and lawmakers to prevent large hacks like this in the future. They also discussed what kinds of repercussion nation-state sponsored hacks warrant. The Biden administration is rumored to be considering sanctions against Russia over the hack, according to a Washington
Post report.
“This could have been exponentially worse and we need to recognize the seriousness of that,” said Senator Mark Warner of Virginia. “We can’t default to security fatalism. We’ve got to at least raise the cost for our adversaries.”
Lawmakers berated Amazon for not appearing at the hearing, threatening to compel the company to testify at subsequent panels.
“I think [Amazon has] an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” said Senator Susan Collins, a Republican. “If they don’t, I think we should look at next steps.”
This is the largest and most sophisticated sort of operation that we have seen
Brad Smith
Four people have been charged in Sydney and Canada over alleged attempts to extort $10 million from a senior Iraqi politician, after what was described as a year-long campaign of intimidation.
Dual raids were launched at dawn on Wednesday after a string of attacks on a Sydney home and online extortion attempts linked to an address in Canada.
The target was the family of a “very senior politician” who is a dual Australian and Iraqi citizen and “spends almost all of his time in Iraq”, Australian police said.
Australian investigators were able to link social media accounts used in the affair to the city of Edmonton in western Canada, NSW police said.
The attacks are believed to have begun in December 2019, when masked and armed assailants broke into a home in western Sydney, striking a 16-yearold boy on the head with a firearm and stealing cash.
Eight months later, shots were fired at the house while two adults, two teenagers and a child were inside. A window was smashed in a separate incident.
Earlier this month, the front porch was set on fire in the dead of night and a threatening note was left outside.
“Throughout this time, the family received various demands for money and threats to their welfare via social media and letters left at their home,” NSW police said in a statement.
Detective chief superintendent
Darren Bennett of the NSW Police State Crime Command, said the Canadian man was the mastermind behind the plot that involved attacks on the family’s home in Chester Hill and online threats, demanding payment of up to $10 million.
Australian media named the member of parliament as Ahmed
Assadi – a senior figure in the Hashed al-Shaabi, a powerful state-sponsored paramilitary network formed from mostly-Shiite armed groups.
Police did not confirm the man’s identity.
Two men – aged 24 and 22 – were arrested at Blacktown and Seven Hills respectively and were both charged with six offences, including sending a document threatening death or grievous bodily harm, multiple property charges, and participating in a criminal group to contribute criminal activity.
The men were due to appear in Blacktown Local Court on Thursday.
Edmonton police reported that they had also arrested a man, Ghazi Shanta, 33, and a woman, Diana Kadri, 32, who are each charged with extortion and conspiracy to commit extortion. They were charged with extortion and conspiracy to commit extortion. Police seized one imitation firearm and electronic devices from one of the addresses.
“With the immediacy of today’s communication tools, it was critical for us to collaborate with Australian police to make simultaneous arrests on opposite sides of the planet,” Phil Hawkins of the Edmonton force’s Cyber Crime Investigations Unit said.
“The search warrants were executed seamlessly, and together, we were able to bring four suspects in two countries into custody without incident,” he said.
The unit got involved following an Interpol request from the Australian federal police.