Microsoft directly blamed Russia’s foreign intelligence service on Tuesday for a devastating security breach of at least nine federal agencies and dozens of private businesses, going further than US government officials have to date in their public attribution for the hack.
Testifying before the Senate Intelligence Committee, Microsoft President Brad Smith said it would likely take time for the US government to formally reach the same conclusion. But, he said, there is “not a lot of suspense at this moment in terms of what we’re talking about.”
“At this stage, we’ve seen substantial evidence that points to the Russian foreign intelligence agency,” Smith said, “and we have found no evidence that leads us anywhere else.”
US intelligence officials have so far said only that the attack was conducted by an actor who is “likely Russian in origin.”
The Biden administration is preparing sanctions and other retaliatory measures aimed at Russia over the hacking campaign, a US official familiar with the plans told CNN. Discussions about the response are still ongoing but could come within a matter of weeks, the official added, noting that the package will likely include sanctions and a cyber component. In outlining its response, the official said, the United States will argue that the breach goes beyond an isolated case of espionage and the response is being considered within the broader context Russia’s malign activities that have prompted condemnation from the Biden administration.
Tuesday’s hearing on the unprecedented spying operation marked the first public accounting to Congress of what went wrong last year when the IT software company SolarWinds unwittingly sent software updates to thousands of customers – including top federal agencies and businesses – that contained malicious code written by hackers.
The code enabled the hackers to execute highly sophisticated follow-up attacks that may have ensnared agencies ranging from the Department of Commerce to the Departments of Defense and State. The Justice Department has disclosed that up to 3% of its Microsoft email accounts were accessed in the breach.
With their level of access, the attackers could have done much more than simply snoop on files, said Kevin Mandia, the CEO of FireEye, one of the cybersecurity companies investigating the breach.
“They had a plan,” he told lawmakers. “They had collection requirements … they target government projects; they target things responsive to keywords. These folks have economy of movement – if they broke into your machine, sir, they string-search it. They find responsive documents. They get out of Dodge. They have an economy that shows they’re professional.”
The attackers also likely sought to evade detection by launching their attacks from servers located within the United States, Mandia and Smith said – echoing an earlier assessment by Anne Neuberger, the White House’s top cybersecurity official, who told reporters last week that by using US-based infrastructure, the hackers “made it difficult for the US government to observe their activity.”
“Advanced persistent threat actors know that the NSA is prohibited from surveilling domestic computer networks, so it makes sense for them to circumvent US surveillance whenever possible,” said Sen. Martin Heinrich at Tuesday’s hearing.
Amazon declined to take part in hearing
Amazon’s cloud hosting arm, Amazon Web Services, may also have some explaining to do, said Sens. Mark Warner and Marco Rubio, who lead the intelligence committee.
“We had extended an invitation to Amazon to participate,” Rubio said. “The operation we’ll be discussing today used their infrastructure, at least in part required it to be successful. Apparently they were too busy to discuss that here with us today, and I hope they’ll reconsider that in the future.”
Alongside Microsoft, Amazon is among the country’s largest providers of cloud hosting services and data centers. The use of Amazon’s infrastructure had not been previously disclosed. A spokesman for AWS didn’t immediately respond to requests for comment.
Kiersten Todt, managing director of the Cyber Readiness Institute, said Amazon’s decision not to testify could reflect a lack of preparation to speak publicly on the matter – but said that the senators’ invitation showed “there is an expectation they can add to the conversation, and them not showing up, you could be as dramatic as to say it’s negligent from a national security perspective.”
Gathering answers about the incident may now be the country’s best hope for preventing another such attack, especially as law enforcement agencies begin to probe other aspects of the spying campaign. US officials have repeatedly warned that SolarWinds was not the hackers’ only avenue for accessing victim networks; other vulnerabilities and attack methods unrelated to the company’s software are also known to have been used, though how widely is unclear.
The breach may also serve as a launchpad for renewed proposals for a federal data breach notification requirement, which Smith said should be a legal obligation for at least US tech companies. Other proposals circulated at the hearing included calls to improve communication between the public and private sectors about cybersecurity threats and attacks.
Asked by Sen. Angus King whether there needs to be a single federal agency charged with identifying the attackers, Mandia emphasized the support the US government must provide to private sector entities.
“Most organizations recognize we are expected to defend ourselves from the drive-by shootings on the information highway. But we shouldn’t have to defend ourselves from the SVR,” Mandia said, referring to Russia’s foreign intelligence agency. “That doesn’t seem like a benchmark this nation should set for every small and medium size company out there, that you need to defend yourself from a foreign intelligence service kind of hacking.”
How the attackers breached SolarWinds remains a mystery
How the attackers first breached SolarWinds in order to infect its software design process remains a mystery. SolarWinds is pursuing three theories for how the attackers were able to compromise the company’s software development process in the first place, said CEO Sudhakar Ramakrishna.
“We’ve been able to narrow [the hypotheses] down now to about three, which I hope will help us conclude to one,” he said. But, Ramakrishna added, SolarWinds is still “sifting through terabytes of data” in an effort to pinpoint how the attackers got inside.
Calling the security breach an “unfortunate and reckless operation,” Ramakrishna said SolarWinds takes seriously its obligation to better understand the attack and to prevent it from happening again. He also said more recent software updates by SolarWinds have addressed the flaw.
“We are embracing our responsibility to be an active participant in helping to prevent these types of attacks,” he said. “Everyone at SolarWinds is committed to doing so, and we value the trust and confidence our customers place in us.”
Ramakrishna later added that the type of supply-chain attack that compromised SolarWinds is possible in “any software development process, which is the reason why we believe dubbing it solely as the ‘SolarWinds hack’ is doing injustice to the broader software community and giving us a false sense of security, possibly.”
CNN’s Zachary Cohen, Geneva Sands, Satyam Kaswala and Alex Marquardt contributed to this report.