At least 1,000 engineers worked on supply chain hack, tech exec says
The scope and scale of the SolarWinds supply chain hack was made plain by Microsoft President Brad Smith when he told senators that the company estimates the breach likely took “at least a thousand” skilled and capable people to pull off.
The hack leveraged flaws in IT management software from SolarWinds and products from other vendors to inject malware into computer networks, and has affected nine federal agencies and 100 private companies. Microsoft analyzed all of the engineering required for the attack and determined it took the work of “at least a thousand very skilled, capable engineers. So we haven’t seen this kind of sophistication matched with this kind of scale,” Smith told the Senate Select Committee on Intelligence.
Many private- and public-sector cybersecurity experts have laid the blame for the attack at Russia’s feet.
“We went through all the forensics. It is not very consistent with cyber espionage from China, North Korea or Iran, and is most consistent with cyber espionage and behaviors we’ve seen out of Russia,” Kevin Mandia, CEO of FireEye, said at the Feb. 23 hearing.
George Kurtz, president and CEO of Crowdstrike, added that while his company could not corroborate an attribution to Russia, he has not seen evidence to contradict it.
The White House has continued to say the campaign is “likely Russian in origin,” but is waiting to complete a formal investigation before using more specific language. FireEye, which is credited with discovering the initial breach, has been more cautious, saying that the hack was likely the work of a state or state-sponsored actor.
Gregory Touhill, the federal government’s first chief information security officer and a retired Air Force brigadier general, said in January that formal attribution requires a level of proof that can stand up in court.
“When it comes to attribution, what the intelligence and law enforcement community has to do is …literally trace it all…