Deepening Mystery — and Fear — Over the SolarWinds Hack

Brad Smith, Microsoft Corp.’s president, made it clear in a Senate Intelligence Committee hearing this week that the federal government and leading members of the business community still don’t fully understand how digital burglars pulled off one of the most dangerous computer hacks in history.

“Who knows the entirety of what happened here?” asked Smith. “Right now, the attacker is the only one who knows the entirety of what they did.”

Intelligence analysts and technologists believe that the “attacker” is the Russian government and that about 1,000 of its operatives orchestrated a massive breach of at least 100 companies around the globe, as well as nine U.S. agencies. The Russians crept onto those servers by targeting SolarWinds Inc., an Austin, Texas-based company that is a leading provider of network and information-technology software. Other undisclosed vendors may also have been involved.

The attack, which came to light late last year, set off alarms in the highest reaches of the government and corporate America, prompting the Biden administration to disclose plans to retaliate against Russia in coming weeks. The White House hasn’t offered details about what that response will entail, but has said it would involve more than diplomatic or economic sanctions. The response is also meant to signal the government’s distaste for a range of Russian activities, including digital disruption (such as interfering in U.S. elections), theft (such as sponsoring ransomware botnets and attempting to steal Covid-19 vaccine research) and political vendettas (such as the poisoning and imprisonment of the Russian dissident Alexei Navalny).

But as two committees in the House of Representatives hold a joint hearing today on the SolarWinds hack, featuring the same witnesses who testified before the Senate on Tuesday, it’s clear that glaring problems remain. Computer networks are vulnerable, information about how to defend and respond to attacks is scattered among private and public stakeholders who don’t freely share it with one another, and the Russian hack may be ongoing.

Although the Russians initially penetrated networks in the fall of 2019, and began lifting information last spring, the breach didn’t become publicly known until December, when FireEye Inc., a Milpitas, California, company specializing in digital warfare, disclosed that it had been hacked. Cybersleuths in the federal government — including the National Security Agency — had not been aware of the hack. Corporate heavyweights at Microsoft weren’t aware until FireEye alerted them shortly after Thanksgiving and asked for help conducting a forensic analysis.

“Without this transparency, we would likely still be unaware of this campaign,” Smith said of FireEye’s alert. “In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity.”

It turned out that hackers had accessed and exploited Microsoft source code that authenticates customers using some of the software giant’s programs. Microsoft has since acknowledged that it hadn’t made sure its programs could detect the theft of identity tools providing cloud-computing access to its clients — a reminder that the cloud, overall, remains vulnerable to hackers and may be impossible to fully protect. FireEye also discovered attackers had breached its own private, in-house data center by piggybacking malware on a software update from SolarWinds. And SolarWinds, which hadn’t adequately protected its own systems, proved to be a leading nexus for a large portion of the attacks.

After sneaking into SolarWinds, the hackers deposited malware that gave them powers so broad they enjoyed “God-mode” — the ability to skirt encrypted protections and control everything on a network. The hackers masked their presence by replacing legitimate tools and utilities with their own and then depositing time bombs on a network. Then they covered their tracks by restoring the legitimate files. The malware was placed on SolarWinds’ supply chain, allowing it to travel onto victims’ networks whenever SolarWinds sent its customers a software update.

Sudhakar Ramakrishna, the chief executive of SolarWinds, said at the Senate hearing that his company still isn’t entirely sure how the hackers penetrated its systems, though his team has narrowed its investigation to three possibilities — unreassuring testimony given how long ago his company was breached. As many as 17,000 companies were imperiled in the Russian hack, according to Senate testimony.

Legislators attending Tuesday’s session, overseen by Senator Mark Warner, a Virginia Democrat, said they’re considering a national data breach reporting law — which would mandate hacking disclosures the private sector has long resisted due to concerns about reputational damage and legal liabilities. But Smith and Kevin Mandia, FireEye’s chief executive, both said that companies will have to embrace greater disclosure if they want to protect themselves.

Amazon.com Inc., which operates a ubiquitous cloud computing business, was repeatedly criticized by legislators for not sending a representative to testify, even though hackers breached its servers and used them as staging grounds to strip data from government networks. Amazon has said it wasn’t victimized in the hack, and has already shared what it knows with law enforcement and the government.

Smith and Mandia also said that companies and governments seeking to protect themselves need to increase public-private collaboration and information-sharing, and take practical steps to strengthen supply-chain security, insulate networks and redefine how nation-states conduct themselves in cyberspace (good luck with that last one).

“There are still too many missing pieces of the puzzle,” Smith said. “We need a full examination of what other cloud services and networks the Russians have accessed. Before we as a nation can secure our digital ecosystem, we need to know that the Russian attackers are no longer present in the dozens or hundreds of networks in which they have accessed data or information through this attack.”

Scared yet?

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Timothy L. O'Brien is a senior columnist for Bloomberg Opinion.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.