Subscribe to the US Guardian Today newsletter
Technology executives revealed that a historic cyber security breach that affected about 100 American companies and nine federal agencies was larger and more sophisticated than previously known.
The revelations came during a hearing by the US Senate intelligence committee on Tuesday about last year’s hack by SolarWinds, a Texas-based software company. Using the programs SolarWinds and Microsoft, hackers who believed they were working for Russia managed to infiltrate government companies and agencies. Amazon-managed servers were also used in the cyber attack, but the company refused to send representatives to the hearing.
Representatives of the affected companies, including SolarWinds, Microsoft and cybersecurity companies FireEye Inc and CrowdStrike Holdings, told senators that the true scope of the invasions is still unknown, because most victims are not legally required to report the attacks, unless involving confidential information about individuals. But they described an operation of impressive size.
Brad Smith, the president of Microsoft, said his researchers believe that “at least 1,000 very qualified and capable engineers” worked on the SolarWinds hack. “This is the largest and most sophisticated type of operation we’ve seen,” Smith told senators.
Smith said the hacking operation’s success is due to its ability to penetrate systems through routine processes. SolarWinds works as a network monitoring software, working deeply on the infrastructure of information technology systems to identify and correct problems and provides an essential service for companies worldwide. “The world depends on fixing and updating software for everything,” said Smith. “Stopping or tampering with this type of software is, in fact, tampering with the digital equivalent of our Public Health Service. This puts the whole world at greater risk. “
“It’s a bit like a thief who wants to break into a single apartment, but manages to turn off the alarm system in all houses and buildings in the city,” he added. “Everyone’s safety is at risk. That’s what we’re struggling with here. “
Smith said that many techniques used by hackers have not been discovered and that the attacker may have used a dozen different ways to enter victims’ networks last year.
Microsoft revealed last week that hackers were able to read the company’s well-kept source code to see how its programs authenticate users. In many of the victims, hackers manipulated these programs to access new areas within their targets.
Smith stressed that this move was not due to programming errors on the part of Microsoft, but rather to poor configurations and other controls on the part of the customer, including cases “where the safe and car keys were left outdoors”.
George Kurtz, the chief executive of CrowdStrike, explained that in the case of his company, the hackers used a third-party vendor of Microsoft software, which had access to CrowdStrike systems, and tried, but failed, to get into company. Kurtz blamed Microsoft for its complicated architecture, which he called “outdated”.
“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move sideways within the network” and reach the cloud environment while bypassing multifactor authentication, said Kurtz.
Where Smith asked government help to provide corrective instructions for cloud users, Kurtz said Microsoft should look into its own home and fix problems with its widely used Active Directory and Azure.
“If Microsoft resolves the limitations of the authentication architecture around Active Directory and Azure Active Directory, or changes to a totally different methodology, a considerable threat vector would be completely eliminated from one of the most used authentication platforms in the world,” said Kurtz.
Executives advocated greater transparency and information sharing about violations, with liability protections and a system that does not punish those who present themselves, similar to airline disaster investigations.
“It is imperative for the nation that we encourage and sometimes even demand better sharing of information about cyber attacks,” said Smith.
Lawmakers talked to executives about how threat intelligence can be more easily and confidentially shared between competitors and lawmakers to avoid major hacks like this in the future. They also discussed what kind of repercussions the nation-state-sponsored hacks guarantee. There are rumors that the Biden government is considering sanctions against Russia for the hack, according to a Washington Post report.
“This could have been exponentially worse and we need to recognize the seriousness of it,” said Sen. Mark Warner, of Virginia. “We cannot resort to security fatalism. We need to at least increase the cost to our opponents. “
Lawmakers criticized Amazon for not attending the hearing, threatening to force the company to testify in subsequent panels.
“I think that [Amazon has] an obligation to cooperate with this investigation and I hope they do so voluntarily, ”said Sen. Susan Collins, Republican. “If they don’t, I think we should take a look at the next steps.”
Reuters contributed to this report.