The months-long hacking campaign that affected US government agencies and cybersecurity providers was “the biggest and most sophisticated attack the world has ever seen,” said Microsoft President Brad Smith, and involved a large number of developers.
The attack, released by security firm FireEye and Microsoft in December, may have impacted up to 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted within SolarWinds’ Orion network management software.
“I think from a software engineering perspective, it’s probably fair to say that this is the biggest and most sophisticated attack the world has ever seen,” Smith told CBSNews’ 60 minutes.
Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack, said Smith, but the team (probably backed by Russia) behind the attack had more than twice the engineering resources.
“When we analyzed everything we saw at Microsoft, we wondered how many engineers were likely to have worked on these attacks. And the answer we got was, well, certainly more than 1,000,” said Smith.
US agencies confirmed to be affected by the attacks include the US Department of the Treasury, the Agency for Cybersecurity and Infrastructure (CISA), the Department of Homeland Security (DHS) and the US Department of State and the US Department of Energy. USA (DOE)
Smith had previously warned of the attack because government-supported cyber attacks focusing on the technology supply chain pose a risk to the economy at large.
“Although governments have been spying on each other for centuries, recent attackers have used a technique that has jeopardized the technology supply chain for the wider economy,” said Smith after publicizing the attacks.
He said this was an attack “on the trust and reliability of the world’s critical infrastructure in order to promote a nation’s intelligence agency”.
Smith highlighted for 60 minutes that attackers rewrote just 4,032 lines of code in Orion, which consists of millions of lines of code.
Kevin Mandia, CEO of FireEye also discussed how the attackers set off an alarm, but only after the attackers successfully registered a second smartphone connected to a FireEye employee’s account for its two-factor authentication system. Employees need this two-factor code to sign up for the company’s VPN remotely.
“Like everyone who works at home, we have two-factor authentication,” said Mandia.
“A code appears on our phone. We need to enter that code. And then we can log in. A FireEye employee was logging in, but the difference was that our security team looked at the login and we noticed that the individual had two phones registered to his So our security officer called that person and we asked, “Hey, did you really register a second device on our network?” And our employee said, “No. It wasn’t, it wasn’t me. “
Charles Carmakal, senior vice president and chief technology officer for FireEye’s Mandiant incident response team, previously told Yahoo News that FireEye’s security system alerted the company’s employee and security team about the unknown device it allegedly belonged to. to the employee.
Attackers gained access to the employee’s username and password by updating SolarWinds. These credentials allowed the attacker to register the device with its two-factor authentication system.
Orion updates were not the only way for companies to infiltrate during the campaign, which also involved hackers gaining access to cloud applications. Up to 30% of the violated organizations had no direct connection to Solar Winds, according to a report in Wall Street Newspaper.