Hacking SolarWinds was the job of “at least 1,000 engineers,” technical executives told the Senate | Technology

Sign up for the Guardian Today US newsletter

Tech executives have revealed that the historic cybersecurity breach that affected about 100 US companies and nine federal agencies is larger and more sophisticated than previously known.

This fact was revealed at a hearing of the selection committee on Tuesday’s information on the US Senate on hacking last year by Texas-based software company SolarWinds. With the use of SolarWinds Microsoft The program allowed hackers who appear to be working in Russia to break into businesses and government agencies. A server run by Amazon was also used in the cyberattack, but the company refused to send a representative to the hearing.

Representatives of affected companies, such as SolarWinds, Microsoft, and cybersecurity companies FireEye Inc and CrowdStrike Holdings, told Senators that the true extent of the intrusion is still unknown. Individual. But they explained an amazing size operation.

Microsoft president Brad Smith said the researchers believed that “at least 1,000 highly skilled and highly capable engineers” worked on the SolarWinds hack. “This is the largest and most sophisticated type of operation we’ve seen,” Smith told Senator.

According to Smith, the success of the hacking operation is due to its ability to break into the system through routine processes. SolarWinds acts as network monitoring software, acting deep into the infrastructure of information technology systems to identify and patch problems and provide essential services to businesses around the world. “The world relies on patching and updating all software,” Smith said. “Interrupting or tampering with that kind of software is effectively tampering with the digital version of our public health services. It puts the whole world at greater risk.”

“It’s like a thief who wants to break into one apartment but was able to turn off the alarm system for every house and every building throughout the city,” he added. “The safety of everyone is at stake. That’s what we’re working on here.”

Many of the techniques used by hackers are unknown, according to Smith, who could have used up to 12 different means to break into a victim’s network over the past year.

Last week, Microsoft revealed that hackers were able to read the company’s tightly protected source code on how their programs authenticate users. For many of the victims, hackers manipulated these programs to access new areas within the target.

Smith said the move wasn’t due to a programming error on the part of Microsoft, but due to improper configuration or other control on the part of the customer, including cases where the safe and car were “unlocked.” I emphasized.

George Kurtz, CEO of CrowdStrike, explained that in his company, hackers used a third-party vendor of Microsoft software that could access the CrowdStrike system and tried to access the company’s email but failed. .. Kurtz blamed Microsoft for the complex architecture he called “obsolete.”

“Attackers have taken advantage of the system’s weaknesses in the Windows authentication architecture to allow them to move laterally within the network,” arriving in a cloud environment, bypassing multi-factor authentication.

When Smith sought government assistance to provide corrective action to cloud users, Kurtz said Microsoft needed to look to itself and fix the widely used Active Directory and Azure issues. It was.

Bensus asks witnesses while the Senate Intelligence Committee is conducting a hearing at Capitol Hill. Photo: Reuters

“If Microsoft addresses the limitations of the authentication architecture for Active Directory and Azure Active Directory, or moves to a completely different approach, it will completely eliminate significant threat vectors from one of the world’s most widely used authentication platforms. “I will,” said Kurtz.

Executives insisted on increasing transparency and information sharing on breaches by using protection of liability and a system that does not punish previous persons, similar to airline disaster investigations.

“It is imperative for the country that we encourage and sometimes even demand better information sharing on cyber attacks,” Smith said.

Congressmen talked to executives on how to share threat intelligence more easily and confidentially with competitors and lawmakers to prevent such large-scale hacks in the future. They also discussed the implications of nation-state-sponsored hacking. The Biden administration is rumored to be considering sanctions against Russia for hacking. According to the Washington Post report..

“This could have worsened exponentially, and we need to be aware of its seriousness,” said Virginia Senator Mark Warner. “Security fatalism cannot be the default. At least it needs to increase the cost of the enemy.”

Lawmakers accused Amazon of not attending the hearing and threatened to force the company to testify in subsequent panels.

“I think [Amazon has] Republican Senator Susan Collins is obliged to cooperate with the investigation and hopes they will cooperate. ” “If not, I think we need to consider the next step.”

Reuters contributed to this report.

Hacking SolarWinds was the job of “at least 1,000 engineers,” technical executives told the Senate | Technology

Source link Hacking SolarWinds was the job of “at least 1,000 engineers,” technical executives told the Senate | Technology

Back to top button