Tech executives revealed that a historic cybersecurity breach that affected about 100 US companies and nine federal agencies was larger and more sophisticated than previously known.
The revelations came during a hearing of the US Senate’s select committee on intelligence on Tuesday on last year’s hack of SolarWinds, a Texas-based software company. Using SolarWinds and Microsoft programs, hackers believed to be working for Russia were able to infiltrate the companies and government agencies. Servers run by Amazon were also used in the cyber-attack, but that company declined to send representatives to the hearing.
Representatives from the impacted firms, including SolarWinds, Microsoft, and the cybersecurity firms FireEye Inc and CrowdStrike Holdings, told senators that the true scope of the intrusions is still unknown, because most victims are not legally required to disclose attacks unless they involve sensitive information about individuals. But they described an operation of stunning size.
Brad Smith, the Microsoft president, said its researchers believed “at least 1,000 very skilled, very capable engineers” worked on the SolarWinds hack. “This is the largest and most sophisticated sort of operation that we have seen,” Smith told senators.
Smith said the hacking operation’s success was due to its ability to penetrate systems through routine processes. SolarWinds functions as a network monitoring software, working deep in the infrastructure of information technology systems to identify and patch problems, and provides an essential service for companies around the world.
“The world relies on the patching and updating of software for everything,” Smith said. “To disrupt or tamper with that kind of software is to in effect tamper with the digital equivalent of our public health service. It puts the entire world at greater risk.”
“It’s a little bit like a burglar who wants to break into a single apartment but manages to turn off the alarm system for every home and every building in the entire city,” he added. “Everybody’s safety is put at risk. That is what we’re grappling with here.”
Smith said many techniques used by the hackers have not come to light and that the attacker might have used up to a dozen different means of getting into victim networks during the past year.
Microsoft disclosed last week that the hackers had been able to read the company’s closely guarded source code for how its programs authenticate users. At many of the victims, the hackers manipulated those programs to access new areas inside their targets.
Smith stressed that such movement was not due to programming errors on Microsoft’s part but on poor configurations and other controls on the customer’s part, including cases “where the keys to the safe and the car were left out in the open”.
George Kurtz, the CrowdStrike chief executive, explained that in the case of his company, hackers used a third-party vendor of Microsoft software, which had access to CrowdStrike systems, and tried but failed to get into the company’s email. Kurtz turned the blame on Microsoft for its complicated architecture, which he called “antiquated”.
“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network” and reach the cloud environment while bypassing multifactor authentication, Kurtz said.
Where Smith appealed for government help in providing remedial instruction for cloud users, Kurtz said Microsoft should look to its own house and fix problems with its widely used Active Directory and Azure.
“Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world*s most widely used authentication platforms,” Kurtz said.
The executives argued for greater transparency and information-sharing about breaches, with liability protections and a system that does not punish those who come forward, similar to airline disaster investigations.
“It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyber-attacks,” Smith said.
Lawmakers spoke with the executives about how threat intelligence can be more easily and confidentially shared among competitors and lawmakers to prevent large hacks like this in the future. They also discussed what kinds of repercussion nation-state sponsored hacks warrant. The Biden administration is rumored to be considering sanctions against Russia over the hack, according to a Washington Post report.
“This could have been exponentially worse and we need to recognize the seriousness of that,” said Senator Mark Warner of Virginia. “We can’t default to security fatalism. We’ve got to at least raise the cost for our adversaries.”
Lawmakers berated Amazon for not appearing at the hearing, threatening to compel the company to testify at subsequent panels.
“I think [Amazon has] an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” said Senator Susan Collins, a Republican. “If they don’t, I think we should look at next steps.”