Microsoft President calls SolarWinds Hack an "act of ruthlessness"
Enlarge /. Close up of digital data and binary code on the network.
Of the 18,000 companies that downloaded a backdoor version of software from SolarWinds, the smallest splinters – possibly only 0.2 percent – received a follow-up hack that used the backdoor to install a second tier payload. The largest populations to receive tier two were successively technology companies, government agencies, and think tanks / NGOs. The vast majority – 80 percent – of those forty chosen were in the United States.
These numbers were provided in an update from Microsoft President Brad Smith. Smith also shared some insightful and sobering comments on the importance of this almost unprecedented attack. Its numbers are incomplete as Microsoft only sees what its Windows Defender app recognizes. Microsoft does see a lot, however, so any difference from the actual numbers is likely a rounding error.
Crème de la crème
SolarWinds makes a near ubiquitous network management tool called Orion. A surprisingly large percentage of corporate networks around the world operate it. Nation-state backed hackers – two U.S. senators who got private information said it was Russia – have managed to take over SolarWinds' software build system and release a security update with a back door. According to SolarWinds, around 18,000 users downloaded the malicious update.
The month-long hack campaign only became known after the security firm FireEye admitted that it had been violated by a nation state. In the course of their investigation, corporate researchers found that the hackers used the Orion backdoor not only against FireEye, but in a much broader campaign against several federal agencies. In the 10 days that have passed since then, the scope and discipline of the hacking operation has become increasingly apparent.
The SolarWinds hack and backdooring of 18,000 servers was only the first phase of the attack, carried out only to identify the targets of interest. These creme de la creme organizations were probably the sole purpose for the entire operation, which lasted at least nine months and possibly much longer.
The Microsoft numbers illustrate how targeted this attack was. The hackers behind this supply chain compromise had privileged access to 18,000 corporate networks and only tracked 40 of them.
The map below shows the sector of these elite hack victims.
Smith tacitly admitted that all industrialized nations practice espionage, which includes hacking. What was different this time, he said, was that a nation-state had violated established norms by placing large parts of the world in real danger in pursuit of their goals. Smith went on to write:
It is important that we step back and evaluate the importance of these attacks in their full context. Even in the digital age, this is not “espionage as usual”. Instead, it is an act of ruthlessness that has created a serious technological vulnerability for the United States and the world. In fact, it is not just an attack on specific targets, but also on the trust and reliability of the world's critical infrastructure to advance a country's intelligence agency. While the recent attack seems to reflect a particular focus on the United States and many other democracies, it is also a haunting reminder that people in virtually every country are at risk and in need of protection, regardless of the governments under which they live.
Elsewhere in the post, Smith quoted Kevin Mandia, CEO of FireEye, and said recently, "We are witnessing an attack from a nation with world class offensive capabilities." Smith then wrote:
With Microsoft cybersecurity experts helping with the response, we came to the same conclusion. Unfortunately, the attack represents a comprehensive and successful espionage-based attack on the confidential information of the US government and the technical tools that companies use to protect it. The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams respond to these attacks as first responders, these ongoing investigations show an attack that is scale, sophistication, and impact.
The SolarWinds hack is emerging as one of the worst espionage hacks in the last decade, if not all time. The precise and precise craftsmanship is nothing short of astonishing. As these elite victims find out over the next few weeks what the second phase did to their networks, this story is likely to go into full swing.