‘They may be in the system’: Questions remain on SolarWinds hack

The US House of Representatives Oversight and Homeland Security Committees held a joint hearing on Friday on the implications of the ongoing SolarWinds hack for the government and private industry.

The hack, which was discovered by private security company FireEye in December, has ravaged roughly 18,000 customers and at least nine government agencies.

SolarWinds is a US-based company that develops system management software for use in businesses and organisations. Authorities have said the attack gathered intelligence, but they have yet to give specifics.

Representative Carolyn B Maloney, chairwoman of the Oversight Committee, said “a sophisticated attacker reported to be the Russian government broke into the SolarWinds system and inserted malicious code into its software … nearly 18,000 customers downloaded updates containing the malicious code”.

Maloney said the hack, which was spread through a vulnerability in widely used Microsoft cloud software, affected law enforcement agencies, and more than 100 private companies involved “in foreign affairs and national security … And that’s just what we know. There’s much more that we still don’t know. We still don’t know if they’re still in the system.”

Eleanor Norton, the District of Columbia’s delegate to the House who is a member of the Oversight committee, said “the information I’ve been given, is that the breaches included the Department of Energy, including a component responsible for managing the nation’s nuclear weapons” and the “roughly 3,500 accounts” from the Justice Department.

Lawmakers on both committees pressed representatives of SolarWinds, Microsoft and FireEye on how to prevent these attacks from happening in the future.

Microsoft President Brad Smith told the joint hearing his company needs to focus on securing the software supply chain, but what “we need to do is think much more broadly, we need to focus on the modernisation of the information technology infrastructure. And we need to apply more broadly cybersecurity best practices.”

For example, most cybersecurity experts recommend two-factor authentication and complex passwords. Reuters reported the company was informed in 2019 that its updates server password, “solarwinds123”, was highly vulnerable.

Reuters further reported hackers have claimed they could sell access to SolarWinds’ computers since 2017 by faking the identity of authorised employees to gain access to cloud services.

Smith said in the US “today there’s a shortage of more than 300,000 trained cybersecurity personnel. And this is something that we as a tech company like Microsoft can focus on addressing by helping colleges and universities, high schools, and others, develop the people we will need in the future.”

Smith previously said investigators estimate at least 1,000 highly skilled engineers would have been required to develop the code used to hack SolarWinds.

US national security officials have also said Russia was likely responsible for the breach, and President Joe Biden’s administration is weighing punitive measures against Russia for the hack as well as other activities.

Russia has denied responsibility for the breach.

China, too, has reportedly gained access to US government files through the vulnerability. Beijing has denied this.

The hack was downplayed by former President Donald Trump, whose administration demoted cybersecurity as a policy field.

Biden has announced cybersecurity will be a priority in his administration. Under a recent law, Biden must open a cyber-focused office reporting to a new National Cyber Director, who will coordinate the federal government’s vast cyber capabilities.