Microsoft's Smith: SolarWinds Attack Involved 1,000 DevelopersSupply Chain Attack Likely Continues, He Tells '60 Minutes'
More than 1,000 developers likely worked on rewriting code for the massive SolarWinds supply chain attack that affected many companies and U.S. government agencies, Microsoft President Brad Smith said in a Sunday interview, pointing out the attack is most likely continuing.
See Also: Threat Briefing: Ransomware
In an interview with CBS News' "60 Minutes," Smith said the supply chain attack was "the largest and most sophisticated attack the world has ever seen."
The U.S. federal agencies investigating the attack, which targeted Microsoft and other technology and cybersecurity companies, say it was likely a cyberespionage campaign waged by Russian hackers (see: SolarWinds Attack: Pointing a Finger at Russia). Some investigators have said that Russia's SVR foreign intelligence service may have been behind the hacking campaign.
In the interview, Smith noted that Russia had previously developed these types of cyber tactics to target Ukraine in 2017.
The supply chain attack "exposes the secrets potentially of the United States and other governments as well as private companies. I don't think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands," Smith said.
The Biden administration recently appointed Anne Neuberger, the deputy national security adviser for cyber and emerging technology, to coordinate the investigation into the supply chain attack following criticism from two senators that the probe, which involves four agencies, has lacked coordination and transparency (see: White House Taps Neuberger to Lead SolarWinds Probe).
Started With a Backdoor
The hackers planted a backdoor known as "Sunburst" within SolarWinds' Orion network monitoring software, which then spread when about 18,000 of the company's customers downloaded updates.
Intelligence experts have suggested that about 300 organizations may have been hit with follow-on, more advanced attacks, which could have led to data exfiltration and eavesdropping, including email inbox access. Those attacks were fueled by the installation of second-stage malware called Teardrop.
Smith noted that while it was not as disruptive to daily life as the Russian NotPetya attack that targeted Ukraine in 2017, the SolarWinds supply chain attack illustrates how hackers can persist.
As a result of the NotPetya attack in Ukraine, Smith says, "Ukranian television stations couldn't produce their shows because they relied on computers. Automated teller machines stopped working. Grocery stores couldn't take a credit card. Now, what we saw with this [SolarWinds] attack was something that was more targeted. But it just shows how if you engage in this kind of tactic, you can unleash an enormous amount of damage and havoc."
Saying that the SolarWinds supply chain attack likely continues, Smith said the only way to know, for certain, that malware is completely removed from the infrastructure is for affected organizations to rip and replace nearly all affected computers and network gear, Smith says (see: CISA Warns SolarWinds Incident Response May Be Substantial).
The security firm FireEye was the first company to notice the supply chain attack after its penetration testing tools were stolen.
The investigation later revealed that several U.S. federal agencies, including the Justice, Treasury, Homeland Security, Commerce and Energy departments, as well as parts of the Pentagon, were also affected by the hacking campaign. These agencies all apparently used SolarWinds' Orion as part of their IT infrastructure.
Smith noted in the TV interview that the hackers appear to have rewritten about 4,000 lines of code that were part of the Orion software update, which shows the level of sophistication needed to pull off such as an attack.
Smith also pointed out that the hacking group planted additional backdoors following the initial attack. Security firms have revealed that malware, in addition to Teardrop, included Sunspot and Raindrop (see: 'Raindrop' Is Latest Malware Tied to SolarWinds Hack).
What Was Entry Point?
Microsoft's security team recently said that the Office 365 suite of products did not serve as an initial entry point for the SolarWinds attackers.
SolarWinds CEO Sudhakar Ramakrishna noted that the investigation could not point to a specific vulnerability in Office 365 as part of the attack, but he said that the hackers may have compromised an email account that allowed them to gain the initial access into the network before planting a backdoor into the Orion software.
Acting CISA Director Brandon Wales told The Wall Street Journal that the SolarWinds attackers likely gained access to targets using a multitude of methods, including password spraying.
'Did We Take Our Eyes Off the Ball?'
Anthony Ferrante, former director for cyber incident response at the National Security Council at the White House, notes: “This cyberattack is the exact type of threat I worried about when I was at the White House - a nation-state threat that infects the software supply chain. And now it’s here and it’s affecting not just the U.S. government but some of its most sensitive interests, as well as private sector organizations."
Ferrante, who is now global head of cybersecurity at FTI Consulting, adds: "We were given so much confidence going into the presidential election that the U.S. government had insight into what nation-states might do. But does this attack suggest that we didn’t actually know everything? Did we take our eyes off the ball?"