The United States Senate’s select committee on intelligence met yesterday to hear evidence from tech executives regarding the historic hack on Texas-based company SolarWinds.
Government agencies issued emergency directives in December after cybersecurity company FireEye detected a supply-chain attack trojanizing SolarWinds’ Orion business software updates to distribute malware.
Using SolarWinds and Microsoft programs, hackers believed to have been working for Russia attacked nine federal agencies and around 100 American companies.
The committee heard that both the scale and sophistication of the attack were greater than had been previously thought. Microsoft president Brad Smith said the attack “was the largest and most sophisticated sort of operation that we have seen” and that he believed it was the work of “at least 1,000 very skilled, very capable engineers.”
The true impact of the attack may never be gauged as victims are only required by law to disclose cyber-attacks that expose individuals’ private data.
During the attack, hackers were able to read Microsoft’s source code for how its programs authenticate users and then manipulate those programs to access new areas inside victims’ networks.
Smith said that this had been made possible not through any errors on Microsoft’s part, but as the result of customers’ configuration mistakes and other errors that meant “the keys to the safe and the car were left out in the open.”
CrowdStrike‘s chief executive George Kurtz said the hackers were able to exploit Microsoft’s overly complicated and “antiquated” architecture.
“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network” and reach the cloud environment while bypassing multifactor authentication, said Kurtz.
To increase national cybersecurity, Smith called for companies to improve information-sharing about cyber-attacks. Kurtz called for Microsoft to fix issues existing in Active Directory and Azure.
He said: “Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms.”
Senator Mark Warner pointed out that 30% of the victims did not have Orion software installed and that they were attacked via other methods. Mandiant CEO Kevin Mandia said that the main attack tactic deployed by hackers was password spray—trying common or reused passwords against accounts en masse.