Executives of U.S. technology companies told lawmakers on February 23 that a recent breach of corporate and government networks was so sophisticated that a nation had to be behind it and said all the evidence points to Russia.
The hearing was the first to examine the hack, which was discovered by private security company FireEye in December. It was later revealed that hackers slipped malicious code into updates of network management software made by the U.S. company SolarWinds, which was then downloaded by several branches of the U.S. government and several U.S. and European corporations.
U.S. intelligence officials and industry sources had previously blamed the intrusion on Russian hackers. Moscow has denied any involvement.
But the technology executives said that the evidence points to Russia as they described the precision, ambition, and scope of the attack.
“We asked ourselves how many engineers do we believe had worked on this collective effort. And the answer we came to was…at least 1,000, very skilled, capable engineers,” Microsoft President Brad Smith told the Senate Intelligence Committee.
“We’ve seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else,” Smith said.
Smith told the committee that the true scope of the intrusions is still unknown because most victims are not legally required to disclose attacks unless they involve sensitive information about individuals.
President Joe Biden’s administration is weighing punitive measures against Russia, and White House press secretary Jen Psaki said it would be “weeks not months” before the U.S. responds.
“We have asked the intelligence community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is,” Psaki said. “And we’re still in the process of working that through now.”
At least nine government agencies and 100 private companies were breached, but what was taken has not been revealed. U.S. government agencies affected include the Treasury, Justice, and Commerce departments, but the full list has not been publicly released.
Smith said there are victims around the world, including in Canada, Mexico, Spain, and the United Arab Emirates.
Microsoft revealed in December that the hackers were able to gain access into its closely guarded source code but said they did not have permission to modify any code or engineering systems.
FireEye CEO Kevin Mandia told the Senate committee that his company has nearly 100 people working to study and contain the breach.
He said the hackers first installed malicious code in October 2019 but didn’t activate it immediately in order to see if they could remain undetected. They then returned in March and began to steal the log-in credentials of people who were authorized to be on the networks so they could have a “secret key” to move around at will, Mandia said.
The Senate committee also heard from Sudhakar Ramakrishna, the CEO of SolarWinds, who took over the company after the hack occurred, and George Kurtz, the president and CEO of CrowdStrike, another leading security company.
Ramakrishna said his company still has not found how the hackers managed to slip malware in the middle of the software supply chain at the point where completed code is tailored to users’ configurations.