A cyberespionage campaign waged by Russian foreign intelligence on U.S. companies and government institutions was of a scale and sophistication never before seen, technology executives told the Senate Select Committee on Intelligence on Tuesday.
“A thousand very skilled, capable engineers worked on this,” said Brad Smith, president of Microsoft Corp.
“We haven’t seen this level of sophistication matched with this kind of scale.”
The attack was part of a “multi-decade campaign” on the part of the Russian government to infiltrate American corporations and government agencies, said Kevin Mandia, CEO of cybersecurity firm FireEye
that began to spread widely after hackers surreptitiously installed malicious code into an update of SolarWinds Corp.
software used by thousands of companies and government agencies to administer information technology infrastructure.
Mandia said that the hackers did a “dry run” in October 2019, using innocuous code, to test whether malicious code would spread as widely as it did. The malicious code was launched in March 2020 and not discovered until December, when FireEye detected a breach of its own network and reported it publicly.
There has been some debate over the degree of confidence to which authorities can blame Russia for the attack, after former President Donald Trump said last year that China could be behind the attack, but the witnesses at the hearing said the campaign was likely waged by Russia. “We’ve seen substantial evidence that points to Russian foreign intelligence and we have no evidence that leads us anywhere else,” Smith said.
Ann Neuberger, the Biden administration’s deputy national security advisor for cyber and emerging technology, said last week that 18,000 different entities downloaded the malicious software update and that the hackers then chose nine federal agencies and roughly 100 private-sector companies to compromise. Reports indicate that the U.S. Departments of State, Homeland Security, Treasury and Defense were all breached.
The Biden administration is preparing sanctions and other measures to punish the Russian government for the SolarWinds attack and other transgressions, the Washington Post reported Tuesday, but senators were also eager to learn which new policies could be put in place to help defend against future attacks.
Sen. Mark Warner of Virginia, the Democratic chairman of the intelligence committee, suggested the implementation of a “mandatory reporting system” that would require companies to disclose breaches of their system to the government so that the public and private sector can more quickly respond in concert to threats.
Warner also suggested that broad international cooperation is needed to mitigate the threat of such attacks on countries around the world. “Do we need norms in cyberspace — that are enforceable — like we have in other forms of conflict?” he asked. “We don’t bomb ambulances in war,” he added, suggesting that international norms against subverting software update processes should be fought for.
Witnesses agreed that without effective diplomacy, it will be nearly impossible for U.S. companies to protect themselves from sophisticated foreign actors.
“We’re all playing goalie and we’re taking slap shots from Wayne Gretzky,” FireEye’s Mandia said. “The puck’s going to get in the net sooner or later. Folks are taking slapshots and literally there are no risks of repercussion for those doing it.”