Probably one of the most notable cybersecurity events in the last decade was the discovery of the SolarWinds breach, caused by Russian APT (Advanced Persistent Threats) group Cozy Bear -with breaches discovered as recently as 2019 through 2020. There have been constant new developments and discoveries on the event in the meantime. Just yesterday, the SolarWinds investigation resulted in a hearing with the U.S. Senate Select Committee on Intelligence. The CEOs of CrowdStrike, FireEye, Microsoft, and SolarWinds participated in the first U.S. Senate panel hearing concerning their conduct following the critical government data breach that will lead the Biden administration to deliver U.S. sanctions (and possibly other penalties) on Russia.
What Was The SolarWinds Breach?
In 2020, specifically in December, a major cyberattack involving Russian APT29 group Cozy Bear impacted thousands of organizations globally including the U.S. government. Russia’s intelligence (SVR) and Cozy Bear were discovered to be involved in a breach that affected SolarWinds. The attack went on undetected since around March. High-level cybersecurity company FireEye (now Mandiant) reported the event on December 13th, stating the appearance of a “global intrusion campaign” in their report. FireEye further stated that the group “gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software”. Upon breaching the systems, the group had accessed “numerous public and private organizations around the world”. The group injected malware into software updates for customers using SolarWinds’ Orion software, allowing for a ‘backdoor‘ trojan to be used for espionage of the high-priority customers. The breach affected approximately 18,000 of SolarWinds’ 300,000 customers, which included the U.S. Treasury Dept. and Homeland Security as well as 100 private companies. The hack was launched from within the U.S.
Who is SolarWinds?
SolarWinds Inc. is a U.S.-based software development and network management company that caters to the Fortune 500, as well as federal agencies. SolarWinds’ customer base comprises around 300,000 customers in total.
Details About The U.S. Senate Hearing
On Tuesday, the first proper Senate hearing involving the heads of tech companies, some of whom directly fell victim to the SolarWinds hack campaign, was held. Specifically, the CEOs of CrowdStrike, SolarWinds, FireEye, and Microsoft attended. The reason for the hearing was ongoing pressure from U.S. senators to clarify the details of the attack, and for heads of tech to give their testimonials, as well as cybersecurity recommendations to the panel. Furthermore, the U.S. government wanted concrete suggestions on a plan to defend against future ‘nation-state’ attacks. Brad Smith, Sudhakar Ramakrishna, George Kurtz, and Kevin Mandia, who are the CEOs of Microsoft, SolarWinds, CrowdStrike, and FireEye respectively, gave their testimonials at the hearing. Some key details from the hearing include;
The breach was a result of years of previous efforts A test run by the attack group was conducted in October 2019 The attack group is most probably of Russian origin An estimated 1,000 individuals were part of the breach effort The scale and sophistication of the breach is unprecedented Forming a centralized cybersecurity agency within the federal U.S. government was suggested It is unclear whether the attack is continuing The scale and scope of the attack is unclear
A Difficult Time For Cyber-Intelligence
The executives shared insights on what exactly went on in their systems due to the breach and were in agreement about the fact that the U.S. needs a centralized attack reporting and sharing intelligence system, that will make a defense against future threats much more efficient and give insight into the security of the private sector. The New York Times wrote that “The hearing was a rare public airing of one of the biggest failures of American intelligence since Pearl Harbor and Sept. 11,2001, terrorist attacks”. CEO of FireEye, Kevin Mandia stated that the attack group is going to be back, and will be “an ever-present offense”. CEO of Microsoft Brad Smith emphasized the need for a “digital Geneva convention”.
Biden Administration Response
As Deputy National Security Advisor Ann Neuberger for Cyber and Emerging Technology of the Biden administration put it; “There’s a lack of domestic visibility, so as a country, we choose to have both privacy and security”, “So the intelligence community largely has no visibility into private-sector networks”. The administration is preparing “executive action”, and apparently eight actions will be passed that “will be part of an upcoming executive action to address the gaps we’ve identified in our review of this incident” said the recently appointed coordinator of the breach, Ann Neuberger. The Biden administration confirms that a response is in order. National security advisor Jake Sullivan told CNN’s Christiane Amanpour that steps against those responsible will be taken “weeks from now”. Furthermore, he told Christiane Amanpour that “You will be hearing about this in short order”. Jake Sullivan also added that there is “intense work underway now to remediate this specific hack and ensure that the threat actor is expunged from federal government systems on a forward-going basis”.