Cybersecurity experts and government officials from around the world are still putting the pieces together to understand the full scope of the SolarWinds supply chain compromise. We’re getting a better idea of just how organized and sophisticated the attack was, thanks to people like Microsoft President Brad Smith.
In a recent interview on “60 Minutes”, Smith called the attack – which affected 18,000 government and private networks – the most advanced attack in the history of the internet.
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said.
Hackers – allegedly Russian – compromised the popular IT management platform SolarWinds Orion by inserting a backdoor into a spring 2020 update of the product, giving malicious actors access to sensitive U.S. government networks and other technology companies like FireEye and more.
In the interview, Smith rehashed how the attack began: rewriting 4,032 lines of code in the program to create the backdoor.
The president of one of the largest information technology companies in the world said the company has assigned 500 engineers to investigate the attack.
“One compared it to a Rembrandt painting, the closer they looked, the more details emerged,” Smith said on the show.
During the course of Microsoft’s investigation into the attack, the company concluded that the attack was not the work of just a handful of state-sponsored hackers. Rather, it was a large, organized team.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks,” Smith said on the program. “And the answer we came to was, well, certainly more than 1,000.”
How two-factor authentication helped discover the largest cyberattack ever
The “60 Minutes” segment on the SolarWinds story also included an interview with Kevin Mandia, CEO of FireEye, the cybersecurity company that first disclosed the hacking campaign.
According to Mandia, two-factor authentication helped the company detect the attack that had already been going on for months.
As an employee was trying to log in and a code was sent to their phone to authenticate their credentials, but the company’s security staff noticed that one employee had two phones registered to their name, but the employee only registered one themselves.
Then, the company looked at its network and observed actors impersonating employees and stealing the company’s cyber defense testing tools without leaving evidence of how they broke in.
According to Mandia, the earliest evidence of compromise was the SolarWinds platform.
“We finally decided: Tear the thing apart,” Mandia told “60 Minutes.”