WASHINGTON, February 24, 2021 – In the first public hearing on the topic since the SolarWinds cyberattack in December, industry leaders testified Tuesday before the Senate Intelligence Select Committee that there are still unanswered questions about the attack.
Those questions include who did it, how they did it, and what they wanted.
Although the attack colloquially assigns SolarWinds as the victim, many companies were affected, and it was the cybersecurity firm FireEye that first announced they had been infiltrated.
The hack, which occurred between March and June 2020 and targeted several companies and federal agencies, has been widely attributed to Russian intelligence. FireEye’s CEO Kevin Mandia and Microsoft President Brad Smith, both whom testified at the hearing, said the adversary was likely the Russians, but did not want to give an irrefutable affirmation.
“We all pretty much know who it is,” said Mandia.
Although there is not yet definitive proof, we are confident from the evidence that this was the Russian intelligence agency, said Smith.
As Broadband Breakfast reported Tuesday, SolarWinds’ CEO Sudhakar Ramakrishna said that the attack was very sophisticated and required extensive expertise, as it occurred in the software update supply chain environment.
The other witnesses agreed. Mandia explained that FireEye found the implanted code from thousands of hours of examining detailed assembly code that requires specialized knowledge to understand.
Although we’ve seen many cyberattacks in the past, the scale of this attack was new, said Smith. The level of expertise we saw here required at least a thousand very skilled, capable engineers, he said.
Mandia said that this attack has been in the works for a long time. “This has been a multi-decade campaign for them. They just so happen to—in 2020—create a backdoor SolarWinds implant,” he said.
“They did a dry run in October of 2019, where they put innocuous code into the SolarWinds build just to make sure the results of their intrusion made it into the SolarWinds production platform environment,” he said.
SolarWinds still does not yet know how the attacker penetrated the company’s supply chain environment, but has narrowed it down to a few possibilities, said Ramakrishna. He did not elaborate on details, emphasizing that the investigation was still under way.
The witnesses said that what the hackers wanted and everything they took is still a mystery. At this point, we still don’t know everything the attacker did—only the attacker does, said Smith.
Various senators asked what needs to be done now that the world knows about the attack. The witnesses said they need better partnerships between the public and private sectors, especially a confidential way to report cyberattacks to the government.
They also said that nations need to agree on “ground rules” for engaging in cyberwarfare. During war, we agree not to bomb ambulances or hospitals, and in the digital space there needs to be equivalent off-limit targets, said Smith. These should include software updates, because the entire world and every type of infrastructure, both digital and physical, relies on them, he said.
The House Oversight and Homeland Security Committees are scheduled to hold a similar hearing Friday.