- Microsoft president Brad Smith says they estimate that at least a thousand hackers worked on the SolarWinds hacks.
- The code used for the planting of the Orion backdoors was complex, effective, and well-hidden.
- The attacks are continuing via a galore of different backdoors and infection chains.
Brad Smith, the current president at Microsoft, has given a short interview on ‘60 Minutes,’ where he gave away some pretty juicy details on the SolarWinds supply chain attacks that shook the field fundamentally. According to the tech executive, these attacks relied on the work of at least 1,000 engineers who worked diligently in the direction of a highly-sophisticated attack that would fly under all radars for long enough.
Based on the results, they fully succeeded in doing that, spreading their backdoor onto 18,000 highly-critical systems across the United States and other countries as well.
Answering the question of how Microsoft could miss this even though the company is so involved in cybersecurity matters, Brad Smith told the interviewer that when considering the sophistication of the attack, there’s an asymmetric advantage for the party that’s launching it. This was just completely out of scale compared to anything else we’ve seen in the past, so it was missed not only by Microsoft but by the entire white-hat community and the security industry alike.
Even now, in the aftermath of this, Microsoft has assigned 500 engineers to look into the specifics. The more they do, the greater things they discover, and Smith characteristically compared the process to analyzing a Rembrandt painting.
The investigators’ findings have pinpointed the rewritten code that the actors used for planting the backdoor, consisting of no less than 4,032 clandestinely seeded lines of code. As Smith admitted, these attacks are still ongoing, so the cleanup, protection, and investigation are all happening simultaneously right now.
According to FireEye’s Kevin Mandia, the actors, who are thought to be supported by Russia (not officially admitted), could have continued to operate unobstructed for much longer if it wasn’t for the company’s diligence to investigate a seemingly minor 2FA alert. In November 2020, the firm’s security team noticed there were two phones registered to an employee’s name, so they investigated to find that someone was snooping into their network through one of their tools.
It took FireEye weeks of in-depth investigation to figure out which tool was being exploited. On December 13, 2020, when they discovered it was the SolarWinds Orion, they informed the public. By then, the actors had already covered months of malicious operation, not only against FireEye but multiple other entities. And today, the same actors are using novel backdoors and secondary infection chains to breach new companies on a daily basis. Even stopping this has proven a lot more challenging than what anyone would suggest two months ago.