Details about the SolarWinds hack continue to emerge months after the supply chain mega-breach was first discovered late last year. The latest revelations come from Microsoft, which is calling the cyber-attack the most sophisticated of all time.
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Brad Smith, president of Microsoft, told CBS News’ 60 Minutes.
By the time Smith had learned of the attack last November, Russia-linked adversaries had already accessed Microsoft’s source code. Hackers had entered the systems of Microsoft and others by injecting malicious code into the SolarWinds monitoring software which was then installed by 18,000 businesses and government organizations.
The attack was hugely damaging. Attackers used SolarWinds to leapfrog into the networks and systems of multiple organizations, where they remained hidden for months, stealing valuable business IP.
Solarwinds: A Sophisticated Cyber-Attack
When CBS’ Bill Whitaker asked how Microsoft missed the breach, Smith said the attackers had an advantage: “I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.”
Smith said Microsoft hired 500 engineers to dig into the attack, but he estimates over 1,000 malicious developers were needed to actually perform the breach.
But Cyjax CISO Ian Thornton-Trump, who worked for SolarWinds years before the hack, points out that security at SolarWinds was lax. “The attack was sophisticated, no question. The problem was, it was trivial to get inside.”
Indeed, he points out, “this epic hack would have taken far more effort if establishing a foothold in the SolarWinds network was more difficult.”
Solarwinds Is ‘Reflecting On’ Its Security Practices
Yet SolarWinds acknowledges the need for changes following the 2020 breach. The firm’s new CEO Sudhakar Ramakrishna wrote in a recent blog that SolarWinds is urgently adding security controls and working to evolve into a “secure by design” company.
“Armed with what we have learned of this attack, we are reflecting on our own security practices and seeking opportunities to enhance our posture and policies. I am doing that by working directly with the SolarWinds team to lead the immediate improvement of critical business and product development systems, with the goal of making SolarWinds an enterprise software industry security leader.”
Earlier this month, a handful of “severe” vulnerabilities were discovered in SolarWinds Orion. One of the flaws could’ve allowed a hacker to gain complete remote control of a targeted SolarWinds system, according to researchers at security company Trustwave.
Solarwinds: “no one company could protect itself against a sustained and unprecedented attack of this kind”
SolarWinds sent me a statement over email, which reads: “SolarWinds was one of a number of targets of a highly sophisticated, broad and coordinated cyber-attack by a foreign government that compromised multiple software companies.
“It is widely understood that no one company could protect itself against a sustained and unprecedented attack of this kind, as was experienced by us and the broader software industry.
“This attack and its subsequent exploitation underscore the need for a public and private partnership through which all leading companies in the tech sector are empowered to partner with the U.S. government and its agencies to create a more secure environment for all.”
The spokesperson told me that the company believes that its investment in security has “consistently been appropriate for a company of our size,” adding that the firm has “continued to increase that spend by double-digit percentages annually since 2017.”
SolarWinds says its investments are in line with those “recommended by industry analysts such as IDC” and highlighted that the firm “hired a very experienced VP of security” in 2017.
“Armed with what we have learned about this attack, we are fortifying and implementing additional security practices in our infrastructure and software development processes,” the spokesperson says. “We hope to set a new standard in this regard and are committed to sharing our learnings and implementation plans with the industry.”
Solarwinds: A Stealthy And Damaging Hack
Thornton-Trump describes how once inside SolarWinds, hackers were then able to “completely document and replicate the build environment.”
“They needed to do most of the malware testing offline because if a build failed because of the malicious code, their sinister plot to infect Orion would be revealed. They only had one chance to get the malware into place to do its thing without revealing their compromise. This was the sophistication in the planning and then in the testing to see if they could pull it off.”
SolarWinds was a stealthy and stunningly damaging breach and a stark warning to all firms of the importance of getting the security basics right. As Thornton-Trump points out: “If you leave your door unlocked you can let 1,000 hackers into your living room.”
Author’s Statement: I’m a freelance cybersecurity journalist with over a decade’s experience writing news, reviews, and features. I report and analyze breaking cybersecurity and privacy stories with a particular interest in cyber warfare, application security, and data misuse by the big tech companies. In addition to Forbes, you can find my work in Wired, The Times, The Economist, and The Guardian. Contact me at firstname.lastname@example.org.