Commentary

Comment: Mystery — and fear — mounts over SolarWinds hack

Months after the first incursions by Russian hackers, we still don’t know how bad the damage is.

By Timothy L. O’Brien / Bloomberg Opinion

Brad Smith, Microsoft’s president, made it clear in a Senate Intelligence Committee hearing last week that the federal government and leading members of the business community still don’t fully understand how digital burglars pulled off one of the most dangerous computer hacks in history.

“Who knows the entirety of what happened here?” asked Smith. “Right now, the attacker is the only one who knows the entirety of what they did.”

Intelligence analysts and technologists believe that the “attacker” is the Russian government and that about 1,000 of its operatives orchestrated a massive breach of at least 100 companies around the globe, as well as nine U.S. agencies. The Russians crept onto those servers by targeting SolarWinds, an Austin, Texas-based company that is a leading provider of network and information-technology software. Other undisclosed vendors may also have been involved.

The attack, which came to light late last year, set off alarms in the highest reaches of the government and corporate America, prompting the Biden administration to disclose plans to retaliate against Russia in coming weeks. The White House hasn’t offered details about what that response will entail, but has said it would involve more than diplomatic or economic sanctions. The response is also meant to signal the government’s distaste for a range of Russian activities, including digital disruption (such as interfering in U.S. elections), theft (such as sponsoring ransomware botnets and attempting to steal covid-19 vaccine research) and political vendettas (such as the poisoning and imprisonment of the Russian dissident Alexei Navalny).

But as two committees in the House of Representatives held a joint hearing Friday on the SolarWinds hack, featuring the same witnesses who testified before the Senate last Tuesday, it’s clear that glaring problems remain. Computer networks are vulnerable, information about how to defend and respond to attacks is scattered among private and public stakeholders who don’t freely share it with one another, and the Russian hack may be ongoing.

Although the Russians initially penetrated networks in the fall of 2019, and began lifting information last spring, the breach didn’t become publicly known until December, when FireEye — a Milpitas, Calif., company specializing in digital warfare — disclosed that it had been hacked. Cybersleuths in the federal government — including the National Security Agency — had not been aware of the hack. Corporate heavyweights at Microsoft weren’t aware until FireEye alerted them shortly after Thanksgiving and asked for help conducting a forensic analysis.

“Without this transparency, we would likely still be unaware of this campaign,” Smith said of FireEye’s alert. “In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity.”

It turned out that hackers had accessed and exploited Microsoft source code that authenticates customers using some of the software giant’s programs. Microsoft has since acknowledged that it hadn’t made sure its programs could detect the theft of identity tools providing cloud-computing access to its clients; a reminder that the cloud, overall, remains vulnerable to hackers and may be impossible to fully protect. FireEye also discovered attackers had breached its own private, in-house data center by piggybacking malware on a software update from SolarWinds. And SolarWinds, which hadn’t adequately protected its own systems, proved to be a leading nexus for a large portion of the attacks.

After sneaking into SolarWinds, the hackers deposited malware that gave them powers so broad they enjoyed “God-mode,” the ability to skirt encrypted protections and control everything on a network. The hackers masked their presence by replacing legitimate tools and utilities with their own and then depositing time bombs on a network. Then they covered their tracks by restoring the legitimate files. The malware was placed on SolarWinds’ supply chain, allowing it to travel onto victims’ networks whenever SolarWinds sent its customers a software update.

Sudhakar Ramakrishna, the chief executive of SolarWinds, said at the Senate hearing that his company still isn’t entirely sure how the hackers penetrated its systems, though his team has narrowed its investigation to three possibilities; unreassuring testimony given how long ago his company was breached. As many as 17,000 companies were imperiled in the Russian hack, according to Senate testimony.

Legislators attending Tuesday’s session, overseen by Sen. Mark Warner, D-Va., said they’re considering a national data breach reporting law, which would mandate hacking disclosures the private sector has long resisted due to concerns about reputational damage and legal liabilities. But Smith and Kevin Mandia, FireEye’s chief executive, both said that companies will have to embrace greater disclosure if they want to protect themselves.

Amazon.com, which operates a ubiquitous cloud computing business, was repeatedly criticized by legislators for not sending a representative to testify, even though hackers breached its servers and used them as staging grounds to strip data from government networks. Amazon has said it wasn’t victimized in the hack, and has already shared what it knows with law enforcement and the government.

Smith and Mandia also said that companies and governments seeking to protect themselves need to increase public-private collaboration and information-sharing, and take practical steps to strengthen supply-chain security, insulate networks and redefine how nation-states conduct themselves in cyberspace (good luck with that last one).

“There are still too many missing pieces of the puzzle,” Smith said. “We need a full examination of what other cloud services and networks the Russians have accessed. Before we as a nation can secure our digital ecosystem, we need to know that the Russian attackers are no longer present in the dozens or hundreds of networks in which they have accessed data or information through this attack.”

Scared yet?

Timothy L. O’Brien is a senior columnist for Bloomberg Opinion.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Opinion

A Microsoft data center campus in East Wenatchee on Nov. 3. The rural region is changing fast as electricians from around the country plug the tech industry’s new, giant data centers into its ample power supply. (Jovelle Tamayo / The New York Times)
Editorial: Meeting needs for data centers, fair power rates

Shared energy demand for AI and ratepayers requires an increased pace for clean energy projects.

toon
Editorial cartoons for Thursday, Jan. 15

A sketchy look at the news of the day.… Continue reading

State must deliver on promises for state ferry system

Washington State Ferries’ crew shortages continue to cancel crucial sailings on Mukilteo-Clinton… Continue reading

State can’t tax income if robots take jobs

A recent Herald Forum commentary was essentially about how, “Everyone knows that… Continue reading

Comment: What Vance doesn’t get about ‘heritage’ or Americans

Ask the Founders or many who fought for the nation, immigrants are in every sense American.

Comment: Why Trump isn’t likely to back democracy in Venezuela

Based on Trump’s stated desire for control of the country’s oil, his best bet is its current autocracy.

Comment: Are we trending toward another devastating Dust Bowl?

It’s not a certainty, but heat and drought are more frequent in the U.S., upping the odds of the disaster’s return.

Tina Ruybal prepares ballots to be moved to the extraction point in the Snohomish County Election Center on Nov. 3, 2025 in Everett, Washington. (Olivia Vanni / The Herald)
Editorial: A win for vote-by-mail, amid gathering concern

A judge preserved the state’s deadline for mailed ballots, but more challenges to voting are ahead.

FILE - The sun dial near the Legislative Building is shown under cloudy skies, March 10, 2022, at the state Capitol in Olympia, Wash. An effort to balance what is considered the nation's most regressive state tax code comes before the Washington Supreme Court on Thursday, Jan. 26, 2023, in a case that could overturn a prohibition on income taxes that dates to the 1930s. (AP Photo/Ted S. Warren, File)
Editorial: No new taxes, but maybe ‘pay as we go’ on some needs

New taxes won’t resolve the state’s budget woes, but more limited reforms can still make a difference.

Washington state's Congressional Districts adopted in 2021. (Washington State Redistricting Commission)
Editorial: Lawmakers shouldn’t futz with partisan redistricting

A new proposal to allow state lawmakers to gerrymander congressional districts should be rejected.

toon
Editorial cartoons for Wednesday, Jan. 14

A sketchy look at the news of the day.… Continue reading

Burke: Work as a young caddy allowed a swing at life skills

Along with learning blackjack, Yiddish and golf’s finer points, it taught the art of observation.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.