Leading technology firms said Tuesday that a month-long hack of corporate and government networks was so complicated, concentrated and labor-intensive that, with all the signs pointing to Russia, a country had to be behind it.
Representatives of technology firms participating in the response identified a hack of near unprecedented accuracy, ambition and scale in the first congressional hearing on the breach. On a target list from the U.S. and other nations, the attackers stealthily scooped up specific emails and records.
The Senate Intelligence Committee was told by Microsoft President Brad Smith, “We have not seen this kind of sophistication matching this type of scale.”
Forensic experts also calculated that it must have been possible for at least 1,000 highly qualified programmers to create the code that hijacked commonly used SolarWinds-based Texas network software to distribute malware via a security upgrade around the world.
Smith said, “We have seen substantial evidence pointing to the Russian foreign intelligence agency and we have not found any evidence leading us anywhere else.”
U.S. national security authorities have already said that Russia is likely to be responsible for the breach, and the administration of President Joe Biden is weighing disciplinary action for the hack and other actions against Russia. Moscow claimed responsibility for the violation.
The reason for the hack, which was found by private security firm FireEye in December, seemed to be to collect data, officials have said. About what, they did not say.
At least nine government departments and 100 private businesses were abused, but it was not revealed what was seized.
Press Secretary Jen Psaki of the White House said on Tuesday that it would be “weeks not months” until the U.S. replied to Russia.
“We asked the intelligence community to do further work to sharpen the attribution made by the previous administration about exactly how the hack occurred, what the scale of the damage is, and what the scope and scale of the intrusion is,” said Psaki. “And now we are still in the process of working that through.”
FireEye CEO Kevin Mandia told the Senate that after they discovered it, almost by mistake, in December and alerted the U.S. government, his organization has about 100 employees working to study and mitigate the intrusion.
The hackers first deployed malicious code on targeted networks secretly in October 2019, but did not enable it to see whether they could stay undetected. In March, they returned and instantly started stealing the log-in credentials of persons allowed to be on the network so that they could have a “secret key” to travel about at will, said Mandia.
Once found, he said, “They vanished like ghosts.”
The security executive said, “There is no doubt in my mind that this was planned.” Really, the question is where the next one is, and where are we going to find it? ”
The violated government offices include the departments of Finance, Justice and Trade, but the entire list has not been officially available. Microsoft’s president, who works with FireEye on the answer, said that there are casualties worldwide, including in Canada, Mexico, Spain and the United Arab Emirates.
The panel, which also included Sudhakar Ramakrishna, SolarWinds CEO who took over the organization after the hack occurred, and George Kurtz, CrowdStrike’s president and CEO, another leading security company, raised concerns not only about how the attack occurred, but also whether it is appropriate to legally require hacking victims to come forward after they have been hacked. And now, three months after the announcement of the violation, the identity of the number of victims is unclear.
In the past, Congress has debated whether to force firms to announce that they have been the target of a hack, but it has raised legal issues, including whether consumers might hold them responsible for the loss of data.
U.S. officials are now debating whether to grant the Cybersecurity and Infrastructure Department or other departments more tools and power to be able to play a more forceful part in working to deter potential breaches.
Another measure that has been discussed is to establish a new agency that will immediately step in and investigate a violation and decide whether there are issues that need to be addressed, such as the National Traffic Safety Board.
Sen. Ron Wyden, one of the Senate’s most influential figures on cyber issues, cautioned that the U.S. would first make sure that the appropriate security precautions have been taken by federal departments violated in this incident.
“Wyden, an Oregon Democrat, said, “The idea the American people could get from this hearing is that the hackers are such powerful enemies that there was nothing the American government or our largest tech firms might have done to defend themselves. “My view is that the message is leading to privacy-violating legislation and billions of additional cybersecurity taxpayer funds.”