‘MASSIVE ATTACK’
Scope of SolarWinds hack revealed
WASHINGTON: The stunning SolarWinds hack that cybersecurity experts blame on Russia probably took a massive, disciplined effort by more than 1000 software engineers, Microsoft president Brad Smith said on Tuesday.
Mr Smith told a hearing of the Senate Intelligence Committee that no other body but Russian intelligence had the ability to muster such an effort, which he branded “reckless” in the breadth of its threat to the globe.
Microsoft, one of more than 100 companies attacked and 18,000 left vulnerable by the hack, analysed the work it took to insert malware into widely used security software created by SolarWinds.
“We asked ourselves how many engineers do we believe had worked on this collective effort. And the answer we came to was ... at least 1000, very skilled, capable engineers,” he said.
“We haven’t seen this kind of sophistication matched with this kind of scale.”
Mr Smith compared previous hacks from Russian and other government-backed groups to a burglar breaking into a single apartment.
The SolarWinds incident was different, he said: it was like a burglar who “manages to turn off the alarm system for every home and every building in the entire city”.
“Everybody’s safety is put at risk. And that is what we’re grappling with here,” he said.
The hack was discovered by computer security firm FireEye in December after it had infected computers around the world.
Among US government agencies penetrated were the National Security Agency, the State Department, Commerce Department and the Treasury.
The Washington Post reported on Tuesday that the Biden administration was studying options to punish Moscow for the hack and for other “malign” activity.
Last week Anne Neuberger, the senior White House cybersecurity adviser, said her team was looking “holistically” at retaliation.
“This isn’t the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners,” she said.
In the Senate hearing, FireEye chief executive Kevin Mandia described the hack as the culmination of a “multidecade” effort.
He said it took thousands of hours for his staff to discover the bug.