More Than 1,000 Engineers Clandestinely Worked on The SolarWinds Attack

Solarwinds logo seen on the smartphone screen, with simple C attack code on the paper background

According to Brad Smith, president of Microsoft, “Solorigate” is one of the largest and most sophisticated cyberattacks ever. Potentially as far back as October 2019, attackers managed to compromise a popular piece of third-party software from SolarWinds. Months later they hid a virus in a routine software update that quickly spread to more than 18,000 computer networks. The core of the hack? 4,032 lines of malicious code, written by at least a 1,000 engineers…

Extremely Well-Orchestrated Attack

In the latest episode from 60 Minutes, Brad Smith, president of Microsoft, talked with correspondent Bill Whitaker about their investigation into the Solorigate incident. Microsoft is one of SolarWinds’ customers. Just like hundreds of other public and private entities, including many Fortune 500 companies and governmental organizations, Microsoft fell victim to an extremely well-orchestrated cyberattack.

One of Bill Whitaker’s first questions was: “You guys are Microsoft. How did Microsoft miss this?” To which Brad Smith responded that the sophistication of the attackers meant they had “an asymmetric advantage for someone playing offense”. Microsoft assigned 500 engineers to investigate the incident. One of them compared it to a Rembrandt painting. “The closer we looked, the more details emerged.”

1,000 Engineers And 4,032 Lines of Code

Microsoft quickly wondered how many engineers would have worked on an attack of such scale and ingenuity. “The answer we came to was, well, certainly more than a thousand.” The hackers used SolarWinds Orion as a backdoor to penetrate hundreds of tech companies and various government agencies.

The SolarWinds Orion platform is very popular and for many organizations indispensable to connect, manage and monitor their computer networks. It’s made up of millions of lines of computer code. “4,032 of them were clandestinely re-written”, confirmed Brad Smith. Next, the hackers buried the malicious piece of code deep within a software update.

Anyone who downloaded and installed the update, automatically let a Trojan horse in. Once inside, the threat actors elevated their privileges so they could, for instance, impersonate account users on the network. In this way, they were able to easily rummage through the victim’s system undetected.

Trojan Downloaded 18,000 Times

Cybersecurity company FireEye was the first to discover the SolarWind breach. In the same 60 Minutes episode Kevin Mandia, FireEye’s director, explains how discovered it. Apparently, security staff noticed that an employee working from home during the Covid-19 pandemic had two phones registered to their name for two-factor authentication. One of the numbers wasn’t his. “The hackers left no evidence of how they broke in, no phishing expedition, no malware.”

FireEye decided to leave no rock unturned. “It was not easy. We took a lot of people and said: look in every machine and find any trace of suspicious activity.” The only thing that kept coming back was some evidence of compromise in the SolarWinds system. Kevin Mandia added: “I can tell you this, if we didn’t do investigations for a living, we wouldn’t have found this. It takes a very special skill set to reverse engineer a whole platform that’s written by bad guys to never be found.”

18,000 of SolarWinds 300,000 customers around the globe downloaded the software update before FireEye informed other entities about the attack on 13 December. The list includes almost all of the US Fortune 500 companies, numerous educational institutions, technology companies, the top ten US telecom firms, the US Pentagon, intelligence agencies, and the Office of the then President of the US.

Likely Russian In Origin

The prime suspect? The Russian SVR. The SVR is the Foreign Intelligence Service that conducts intelligence and espionage activities outside the Russian federation. The way the intruders moved through networks to collect intelligence and the nature of the organizations they targeted points to a large and sophisticated hacking group. Russia, however, completely denies any involvement. Nonetheless, US agencies and many cybersecurity experts are convinced.

In January, the FBI, CISA, ODNI and the NSA published a joint statement about the incident. They identified an Advanced Persistent Threat (APT) actor, “likely Russian in origin”, as the party responsible for the SolarWind attacks. Brad Smith compared the attack to similar strategies previously employed by Russia in the Ukraine. He did not point the finger directly at Russia, but did say that “it’s not the first time they’ve witnessed it”. John Miller, CEO of Boldend, another of the cybersecurity experts 60 Minutes spoke to, called it “an act of cyber terrorism”.

Many are convinced that the attack is still ongoing. Consequently, new companies are being breached. “Normally, when you catch someone in the act, they stop. That’s not the case with this breach”, explained John Miller. In additon, strange twists also keep emerging. Last week, Reuters reported that the breach of the National Finance Center was caused by Chinese hackers. They exploited a different bug in SolarWind Orion’s code to spread across already compromised networks.

To be continued, without a doubt…

IT communication specialist
Sandra has many years of experience in the IT and tech sector as a communication specialist. She's also been co-director of a company specializing in IT, editorial services and communications project management. For she follows relevant cybercrime and online privacy developments.