At least 1,000 engineers worked on supply chain hack, tech exec says
- By Justin Katz
- Feb 24, 2021
The scope and scale of the SolarWinds supply chain hack was made plain by Microsoft President Brad Smith when he told senators that the company estimates the breach likely took "at least a thousand" skilled and capable people to pull off.
The hack leveraged flaws in IT management software from SolarWinds and products from other vendors to inject malware into computer networks, and has affected nine federal agencies and 100 private companies. Microsoft analyzed all of the engineering required for the attack and determined it took the work of “at least a thousand very skilled, capable engineers. So we haven’t seen this kind of sophistication matched with this kind of scale," Smith told the Senate Select Committee on Intelligence.
Many private- and public-sector cybersecurity experts have laid the blame for the attack at Russia’s feet.
"We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran, and is most consistent with cyber espionage and behaviors we've seen out of Russia," Kevin Mandia, CEO of FireEye, said at the Feb. 23 hearing.
George Kurtz, president and CEO of Crowdstrike, added that while his company could not corroborate an attribution to Russia, he has not seen evidence to contradict it.
The White House has continued to say the campaign is "likely Russian in origin," but is waiting to complete a formal investigation before using more specific language. FireEye, which is credited with discovering the initial breach, has been more cautious, saying that the hack was likely the work of a state or state-sponsored actor.
Gregory Touhill, the federal government's first chief information security officer and a retired Air Force brigadier general, said in January that formal attribution requires a level of proof that can stand up in court.
"When it comes to attribution, what the intelligence and law enforcement community has to do is …literally trace it all the way back to the root," he said. Public and private investigators have to gather evidence that "will hold up in court. That's the realm that [FireEye] and others are dealing with. Those who don't have to prove it in court can say whatever they want."
In addition to the issue of attribution, multiple senators quizzed the technology executives about stepping up requirements for breach reporting and whether companies would need liability protections to take on that obligation.
"The time has come to go in that direction," Smith said in response to a question from Sen. John Cornyn (R-Texas). "We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and making sure it is put to good use."
Mandia agreed with Smith's comments and added that the information shared would need to be confidential because of how quickly circumstances change in the aftermath of an attack.
The Washington Post reported on Tuesday that the White House is planning to sanction Russia in response to the hack and other belligerent acts. The Post's reporting also added NASA and the Federal Aviation Administration to the list of agencies compromised.
SolarWinds CEO Sudhakar Ramakrishna said Monday during an event hosted by a Washington think tank that he feels his company has an "obligation" to speak publicly about the breach because "this is not a one company issue."
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.