Ever since its discovery in December 2020, the SolarWinds hack has been the talk of the town. Experts have analyzed, dissected, and unearthed many vectors behind this stealthy attack. Even heavy-weight tech giants like Malwarebytes, FireEye, and Microsoft have reported being affected by this devastatingly malicious act. In fact, Microsoft even accepted that SolarWinds attackers had accessed their “Source Code.” And in a recent interview with the U.S. news magazine program 60 Minutes, Brad Smith, President of Microsoft, went on to label the SolarWinds hack as “the largest and most sophisticated attack the world has ever seen.”
Microsoft’s Analysis of the SolarWinds Hack
While answering questions related to the hack, Smith said that Microsoft was carrying out a thorough internal investigation on the breach and had assigned a team of nearly 500 engineers to do so. Smith added that looking at the sophistication of the attack the engineers started hunting for signatures that would lead them to the perpetrators. However, in doing so they discovered that this was not a job of a small group of threat actors, instead, the engineers estimated that 1,000+ developers had worked on developing the malicious code in the first place. This implied that the attack was not just widespread but was developed and executed by a larger group, possibly a state-sponsored entity.
The analysis also pointed that the SolarWinds Orion software comprises millions of lines of computer code. And thus, it was easy for the threat actors to craftily re-write 4,032 lines of malicious code and hide it in plain sight from the SolarWinds developers.
An Alert FireEye Employee Opens the Eyes
The same interview panel of 60 seconds had Kevin Mandia, CEO of FireEye – the cybersecurity company that first discovered the attack on their systems. Mandia gave the credit of this discovery to an alert security employee who first raised the flag on discovering two mobile numbers being registered in the name of a single employee.
Due to the pandemic, for remote login purposes, FireEye had devised a two-factor authentication (2FA) for all its employees on their registered mobile numbers. Mandia said that for 2FA only one phone number is accepted, but it was in this data table at the backend that the whistleblower saw the additional entry. The security employee immediately called the employee in question and asked, “Hey, did you actually register a second device on our network?” and the employee reverted, “No. It wasn’t, it wasn’t me.” This was where it all started.
The security team at FireEye hunted and analyzed all its tools to know the vulnerability that was the reason for the compromise. But the attackers were highly sophisticated and in Mandia’s words, “left no evidence of how they broke in – no phishing expeditions, no malware.”
But perseverance and expertise of being in the cybersecurity domain eventually paid off for FireEye. Their security team investigated every machine possible and all fingers were being pointed to their third-party management software – SolarWinds Orion.
At the end of the discussion, Smith was asked whether the attack was still on-going? To which he replied, “Almost certainly, these attacks are continuing.” We hope the security teams of all organizations are listening to this!