The Solarwinds hacking campaign, which lasted for months and hit US government agencies and cybersecurity providers hard, was “the biggest, and most sophisticated, attack the world has ever seen,” said the president of Microsoft, Brad Smith. For the latter, there is no doubt, it involved a large number of developers.
The attack, revealed by security firm FireEye and Microsoft in December, could have affected as many as 18,000 organizations due to Sunburst (or Solorigate) malware embedded in SolarWinds’ Orion network management software. “I think from a software engineering perspective, it’s probably fair to say that this is the biggest and most sophisticated attack the world has ever seen,” Microsoft CEO said during his appearance on the set of the famous American program 60 Minutes, broadcast on CBSNews.
Microsoft, which was also pierced by the poor update of Orion, has tasked 500 engineers to investigate the attack, said the leader. But the team (most likely backed by Russia) behind the attack had more than double the engineering resources. “When we looked at everything we saw at Microsoft, we wondered how many engineers were probably working on these attacks. And the answer we have come up with is, well, definitely over 1,000, ”says the Microsoft boss.
Many agencies affected
Among the U.S. agencies affected by the attacks are the U.S. Treasury Department, the Cyber Security and Infrastructure Agency (CISA), the Department of Homeland Security (DHS), the U.S. Department of State, and the Department of American energy (DOE). Brad Smith did not hesitate to sound the alarm bells about this attack. For him, cyberattacks backed by governments to focus on the technology supply chain represent a risk to the economy at large.
“While governments have been spying on each other for centuries, recent attackers have used a technique that has endangered the technology supply chain for the economy at large,” the Microsoft boss warned after the attacks were announced. . For the latter, it was an attack “on the confidence and reliability of the world’s critical infrastructure in order to advance a nation’s intelligence agency.”
Kevin Mandia, CEO of FireEye, also spoke about how the attackers set off an alarm, but only after they managed to register a second smartphone logged into a FireEye employee’s account for their two-factor authentication system.
Employees need this two-factor code to remotely connect to the company’s VPN. For his part, the boss of Microsoft adds that the attackers have rewritten only 4,032 lines of code in Orion, which consists of millions of lines of code.
Charles Carmakal, senior vice president and chief technology officer of FireEye Mandiant’s incident response team, previously told Yahoo News that FireEye’s security system alerted the employee and the company’s security team on the unknown device that would have belonged to the employee. The attackers gained access to the employee’s username and password through the SolarWinds update. These credentials allowed the attacker to register the device in their two-factor authentication system.
Updates to Orion weren’t the only way to infiltrate businesses during the campaign, which also gave hackers access to cloud apps. According to a report published in the Wall Street Journal, 30% of infiltrated organizations had no direct connection to Solarwinds.