Supply chain hack took a thousand engineers to pull off, tech exec tells Congress

The scope and scale of the attack as described by Microsoft President Brad Smith is in keeping with the attribution being made by public sector and private sector officials that the hack was perpetrated by Russian-sponsored actors.

automated security (Oskari Porkka/Shutterstock.com)
 

Brad Smith, president of Microsoft, told a panel of senators on Tuesday that his company estimates the cybersecurity breach of nine federal agencies and 100 private companies likely took "at least a thousand" skilled and capable people to pull off.

"At Microsoft as we worked with customers that had been impacted by this, we stepped back and just analyzed all of the engineering steps that we had seen and we asked ourselves how many engineers do we believed had worked on this collective effort and the answer we came to was at least a thousand,” Smith told the Senate Select Committee on Intelligence. "I should say at least a thousand very skilled, capable engineers. So we haven’t seen this kind of sophistication matched with this kind of scale," he added.

The scope and scale Smith described is keeping with the attribution being made by public sector and private sector officials that the hack, which leveraged flaws in IT management software from SolarWinds and products from other vendors to inject malware into computer networks, was perpetrated by Russia.

"We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran, and is most consistent with cyber espionage and behaviors we've seen out of Russia," Kevin Mandia, CEO of FireEye, said at the Feb. 23 hearing.

George Kurtz, president and CEO of Crowdstrike, added that while his company could not corroborate an attribution to Russia, he has not seen evidence to contradict it.

Mandia, Smith, Kurtz and Sudhakar Ramakrishna, CEO of SolarWinds, testified today to the panel on intelligence about the impacts of the hack of nine federal agencies and 100 private companies.

The committee's chairman, Sen. Mark Warner (D-Va.), said the panel invited an official from Amazon Web Services to testify but the company declined.

The White House has continued to say the campaign is "likely Russian in origin," but is waiting to complete a formal investigation before using more specific language. FireEye, which is credited with discovering the initial breach, has been more cautious, saying that the hack was likely the work of a state or state-sponsored actor.

Gregory Touhill, the federal government's first chief information security officer and a retired Air Force brigadier general, told FCW in January that formal attribution requires a level of proof that can stand up in court.

"When it comes to attribution, what the intelligence and law enforcement community has to do is …literally trace it all the way back to the root," he said. Public and private investigators have to gather evidence that "will hold up in court. That's the realm that [FireEye] and others are dealing with. Those who don't have to prove it in court can say whatever they want."

In addition to the issue of attribution, multiple senators quizzed the technology executives about stepping up requirements for breach reporting and whether companies would need liability protections to take on that obligation.

"The time has come to go in that direction," Smith said in response to a question from Sen. John Cornyn (R-Texas). "We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure it is put to good use."

Mandia agreed with Smith's comments and added that the information shared would need to be confidential because of how quickly circumstances change in the aftermath of an attack.

The Washington Post reported on Tuesday that the White House is planning to sanction Russia in response for the hack, among other things. The Post's reporting also added NASA and the Federal Aviation Administration as part of the list of agencies compromised.

Ramakrishna said Monday during an event hosted by a Washington think tank that he feels his company has an "obligation" to speak publicly about the breach because "this is not a one company issue."

He and other technology executives will speak to House lawmakers later this week about the effects the breach has had on the public and private sector.

Both Ramakrishna and Mandia said this week that in addition to adding malicious code to the SolarWinds Orion IT management software, the hacking campaign also inserted innocuous code into Orion in October 2019 to test whether their method of injecting code worked without attracting attention.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.