Microsoft: SolarWinds attack took more than 1,000 engineers to create

Microsoft reckons that the huge attack on security vendors and more took the combined power of at least 1,000 engineers to create.
Written by Liam Tung, Contributing Writer

The months-long hacking campaign that affected US government agencies and cybersecurity vendors was "the largest and most sophisticated attack the world has ever seen," Microsoft president Brad Smith has said, and involved a vast number of developers.

The attack, disclosed by security firm FireEye and Microsoft in December, may have impacted as many as 18,000 organizations as a result of the Sunburst (or Solorigate) malware planted inside SolarWinds's Orion network management software.   

"I think from a software engineering perspective, it's probably fair to say that this is the largest and most sophisticated attack the world has ever seen," Smith told CBSNews' 60 Minutes

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Microsoft, which was also breached by the bad Orion update, assigned 500 engineers to investigate the attack said Smith, but the (most likely Russia-backed) team behind the attack had more than double the engineering resources. 

"When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000," said Smith. 

Among US agencies confirmed to have been affected by the attacks include the US Treasury Department, the Cybersecurity and Infrastructure Agency (CISA), The Department of Homeland Security (DHS), and the US Department of State, and the US Department of Energy (DOE)

Smith has previously raised an alarm over the attack because government-backed cyber attackers focusing on the technology supply chain pose a risk for the broader economy. 

"While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy," Smith said after disclosing the attacks

He said this was an attack "on the trust and reliability of the world's critical infrastructure in order to advance one nation's intelligence agency."

Smith highlighted to 60 Minutes that the attackers re-wrote just 4,032 lines of code within Orion, which consists of millions of lines of code. 

Kevin Mandia, CEO of FireEye, also discussed how the attackers set off an alarm but only after the attackers had successfully enrolled a second smartphone connected to a FireEye employee's account for its two-factor authentication system. Employees need that two-factor code to remotely sign into the company's VPN.

"Just like everybody working from home, we have two-factor authentication," said Mandia. 

"A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, "Hey, did you actually register a second device on our network?" And our employee said, "No. It wasn't, it wasn't me."

SEE: Cybersecurity: This 'costly and destructive' malware is the biggest threat to your network

Charles Carmakal, senior vice president and chief technology officer at FireEye's Mandiant incident response team, previously told Yahoo News that FireEye's security system alerted the employee and the company's security team to the unknown device that supposedly belonged to the employee. 

The attackers had gained access to the employee's username and password via the SolarWinds update. Those credentials allowed the attacker to enroll the device in its two-factor authentication system. 

The Orion updates weren't the only way that companies were infiltrated during the campaign, which also involved the hackers gaining access to cloud applications. As many 30% of the organisations breached had no direct link to Solar Winds, according to a report in The Wall Street Journal.

Editorial standards