Microsoft President Brad Smith recently claimed the SolarWinds supply chain attack was “the largest and most sophisticated attack the world has ever seen” and may have involved more than 1,000 Russian operatives.
The attack saw the code of the SolarWinds Orion solution updated so that when it was automatically updated a backdoor was inserted into all users’ networks that gave the attackers remote access. Many thousands of IT departments rely on the software for network management and around 18,000 organizations are known to have had the backdoor installed through the software update. The cyberattack is now widely accepted to have been orchestrated by Russia for espionage purposes, although that is something Russia has strenuously denied.
An attack of this complexity required considerable planning and resources. Considerable time and effort were put into making this attack undetectable and were it not for FireEye, the attack may not have been detected. FireEye Chief Kevin Mandia explained in a 60 Minutes interview that the breach was detected when reviewing login information. 2-factor authentication had been set up for its employees, so that when they logged in a code was sent to their phones which could be used to confirm their identity. The security team found that one employee had two phones registered.
When they checked to find out if the employee had registered a second phone, they found only one had been registered. When they investigated further, they discovered attackers had been impersonating their employees and were snooping around the network, accessing sensitive information such as the tools the company used to investigate its clients’ defenses.
What they struggled to find was any sign of how the attackers had gained access to their systems, until they hit upon the SolarWinds Orion platform. Even then, determining the SolarWinds Orion update was the culprit was no easy task. “I can tell you this, if we didn’t do investigations for a living, we wouldn’t have found this. It takes a very special skill set to reverse engineer a whole platform that’s written by bad guys to never be found,” said Mandia.
According to Smith, around 4,000 lines of code out of the several million that comprised the SolarWinds Orion update were rewritten by the hackers and those changes required considerable manpower. Microsoft assigned 500 of its engineers to painstakingly pick apart the breach and the more they investigated, the more complex it turned out to be.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks, and the answer we came to was, well, certainly more than 1000,” said Smith on 60 Minutes. Smith said one of the engineers compared the attack to a Rembrandt painting. The closer they looked, the more details emerged.
What is clear is that even the discovery of the attack and the efforts made so far to eradicate the hackers from systems will not have totally succeed. While many hackers stop activity when they have been discovered, that is certainly not the case here. The attacks are ongoing and it is probable that further backdoors have been placed in systems that have yet to be discovered. What has been discovered so far is likely to be just the tip of the iceberg.