According to Microsoft’s analysis of the devastating SolarWinds hack, over 1,000 developers were involved.
The attack was described as “the largest and most sophisticated attack the world has ever seen,” by Microsoft president Brad Smith on US show 60 Minutes.
SolarWinds develops software to help businesses manage their networks, systems, and IT infrastructure. The company’s Orion solution is used by ~33,000 public and private sector customers.
In December, it was disclosed that Orion had been compromised and the attack went undetected for months. Months later, we’re still learning more about the sheer depth and scale of the attack.
“When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said.
Around 4,032 lines of code were behind the sophisticated attack which helped to avoid detection by running on US servers.
The attack has been attributed by various security researchers to the Russian state-linked hacking group Cozy Bear (also known as APT29).
Multiple government agencies were breached including US Homeland Security, Treasury, and Commerce. Other critical clients of SolarWinds that are still investigating whether they were compromised include NATO, the European Parliament, and the UK’s Ministry of Defence, NHS, and Home Office.
Smith compared the attack to those Russia allegedly launched against Ukraine’s supply chains.
“What we are seeing is the first use of this supply chain disruption tactic against the United States,” he said. “But it’s not the first time we’ve witnessed it. The Russian government really developed this tactic in Ukraine.”
Cybersecurity agency FireEye, which itself was compromised in the attack, said the hackers inserted “malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment” and found “indications of compromise dating back to the spring of 2020”.
While Microsoft called the malware Solorigate, FireEye named the malware SUNBURST.
(Photo by Nahel Abdul Hadi on Unsplash)
