US Tech Executives Warn SolarWinds Hack Bigger, More Reckless Than
February 24, 2021
Executives with technology companies impacted by the massive
cybersecurity breach known as the SolarWinds hack are giving U.S.
lawmakers more reason to worry, warning the intrusion is both bigger
and more dangerous than first realized.
The officials, including those from FireEye, the cybersecurity firm
that first discovered the breach last December, and SolarWinds, the
Texas-based software management company at the center of the hack,
testified before the Senate Intelligence Committee Tuesday and told
lawmakers they are still trying to assess the damage.
“These attackers, from Day One, they had a back door,” FireEye Chief
Executive Officer Kevin Mandia said of the hack that impacted as
many as 18,000 SolarWinds customers around the world.
“You wonder why people missed it? This wasn’t the first place you’d
look,” he said. “This is the last place you’d look for an
Making matters worse, Microsoft President Brad Smith, whose
company’s source code — the basic programming essential to run
Microsoft programs and operating systems — was accessed in the
breach, said more victims may still be out there.
“There are more attack vectors, and we may never know what the right
number is,” Smith said. “Right now, the attacker is the only one who
knows everything they did.”
Smith further warned that the massive hack was more dangerous than
most people would like to admit, calling it “an act of
"The world relies on the patching and updating of software. We rely
on it for everything,” he said. “To disrupt, to damage, to tamper
with that kind of software updating process is, in my opinion, to
tamper with the digital equivalent of our public health service."
To date, U.S. officials have said that while the breach exposed
thousands of companies, the hackers appear to have been interested
in only about 100 private-sector firms and nine U.S. government
agencies in what they have described as a Russian intelligence
U.S. officials have been reticent to share details, saying for now
intelligence agencies are still working to “sharpen the
FireEye and Microsoft, though, told lawmakers there is little doubt
Russia is responsible.
“We went through all the forensics. It is not very consistent with
cyber espionage from China, North Korea or Iran. And it is most
consistent with cyber espionage and behaviors we’ve seen out of
Russia,” FireEye’s Mandia told lawmakers.
"We've seen substantial evidence that points to the Russian foreign
intelligence agency,” Microsoft’s Smith added. “We have found no
evidence that leads us anywhere else."
Of particular concern, they said, was the ability of the hackers to
shut down safeguards meant to find and neutralize malware, while
also leaving few traces they were ever there.
“The tradecraft and operational security (were) superb," CrowdStrike
CEO George Kurtz told lawmakers. “To actually inject something and
have it all work without errors and without anyone actually seeing
it is, again … it's very novel in its approach.”
Lawmakers urged the White House Tuesday to do everything it can to
speed up the attribution process.
“The sooner we make a more fulsome attribution, the better," said
Democrat Mark Warner, Senate Intelligence Committee chairman. "We
need to call out our adversary … plan an appropriate response."
The White House Tuesday promised the wait will soon be over.
“It will be weeks, not months, before we respond,” White House press
secretary Jen Psaki told reporters.
“We reserve the right to respond at a time and a manner of our
choosing,” she added.
Efforts are likewise underway to help harden the country’s cyber
Earlier this month, Deputy National Security Adviser for Cyber and
Emerging Technology Anne Neuberger said the Biden administration is
drafting policies to prevent further attacks and predicted some of
the proposals could be formalized as part of an “executive
On Tuesday, technology executives and lawmakers also raised the
possibility of creating a mandatory reporting requirement so that
companies impacted by cyber intrusions at the hands of countries
like Russia or China come forward quickly to share what they know.
They also argued that more needs to be done to impose costs on
countries that put critical systems at risk, both by the U.S. itself
and with its allies.
“I think deterrence is one of the most important parts of a national
strategy, and frankly, it isn't one that has been very well
developed,” independent Sen. Angus King said.