Subscribe to the Guardian Today US Newsletter
Technical executives have revealed that a historic cyber-security breach that affected about 100 U.S. companies and nine federal agencies was larger and more sophisticated than previously known.
The revelations came Tuesday during a hearing by the U.S. Senate Select Committee on Intelligence on last year’s hack of SolarWinds, a Texas-based software company. Using SolarWinds and Microsoft programs, hackers believed to be working for Russia could infiltrate businesses and government agencies. Servers run by Amazon were also used in the cyber attack, but the company did not want to send representatives to the trial.
Representatives of the companies involved, including SolarWinds, Microsoft, and the cybersecurity firms FireEye Inc and CrowdStrike Holdings, told senators that the true extent of the intruders is still unknown, as most victims are not legally obligated to disclose attacks, unless it is sensitive information about individuals. But they described an incredible range.
Brad Smith, the Microsoft president, said his researchers believe that “at least 1,000 very capable, very capable engineers” are working on the SolarWinds hood. “This is the largest and most sophisticated type of operation we have seen,” Smith told senators.
Smith said the success of the burglary was due to the ability to penetrate through routine processes. SolarWinds functions as a network monitoring software that works deep into the infrastructure of information systems to identify and solve problems, and provides an essential service to companies around the world. “The world relies on patching and updating software for everything,” Smith said. “To disrupt or compromise this kind of software is to actually tamper with the digital equivalent of our public health service. This puts the whole world in greater danger. ”
“It’s a bit like a burglar who wants to break into one apartment, but manages to turn off the alarm system for every house and every building in the entire city,” he added. ‘Everyone’s safety is endangered. This is what we are struggling with here. ”
Smith said many of the techniques used by the hackers did not come to light and that the attacker had used up to a dozen different ways to enter the victim networks in the past year.
Microsoft announced last week that the hackers could read the company’s accurate source code for how the programs authenticate users. At many of the victims, the hackers manipulated the programs to gain access to new areas within their targets.
Smith stressed that such moves were not due to Microsoft programming errors, but to poor configurations and other customer controls, including cases where the keys to the safe and car were left out in public.
George Kurtz, CEO of CrowdStrike, explained that hackers were using a third-party vendor of Microsoft software, which had access to CrowdStrike systems, but were trying to get the company’s email. Kurtz blamed Microsoft for its intricate architecture, which he called “outdated”.
“The threat actor took advantage of systemic vulnerabilities in the Windows authentication architecture, which caused it to move laterally within the network” and reached the cloud environment while bypassing multifactor authentication, Kurtz said.
While Smith called on government help to provide remedial instructions to cloud users, Kurtz said Microsoft should go to its own home and solve problems with its widely used Active Directory and Azure.
“If Microsoft addresses the authentication architecture constraints around Active Directory and Azure Active Directory, or goes all the way to another method, a significant threat vector will be completely eliminated from one of the world’s most widely used authentication platforms,” Kurtz said.
Management has argued for greater transparency and the exchange of information on violations, with liability protection and a system that does not punish those who come forward, similar to airline disaster investigations.
“It is vital for the country that we encourage and sometimes want to share even better information about cyberattacks,” Smith said.
Lawmakers have been talking to executives about how threat intelligence can be shared more easily and confidentially among competitors and lawmakers to prevent major hacks like these in the future. They also discussed what kind of consequences hacks sponsored for the nation state. According to a Washington Post report, the Biden administration is considering sanctions against Russia over the hack.
“It could have been exponentially worse and we need to realize the seriousness of it,” said Virginia Sen. Mark Warner. “We can not have security fatalism. We must at least increase the cost to our opponents. ”
Lawmakers sued Amazon for failing to appear at the trial, threatening to force the company to testify in subsequent panels.
“I think [Amazon has] a commitment to work together on this inquiry, and I hope they will do so voluntarily, ‘said Sen. Susan Collins, a Republican. “If they do not, I think we need to look at the next steps.”
Reuters contributed to this report.