More SolarWinds Hack Victims Yet to Be Publicly Identified, Tech Executives Say

WASHINGTON—Technology executives who responded to the hack of federal government computer systems by suspected Russian agents told senators Tuesday the attack was likely wider, more complex and harder to trace than had previously been known.

The executives said the attack, which compromised at least nine federal agencies and 100 private companies, revealed systemic vulnerabilities in the software supply chain that all U.S. businesses and government institutions rely on. The executives suggested further key victims have yet to be publicly identified.

In the first Senate hearing since the so-called SolarWinds hack was discovered in December, Intelligence Committee Chairman Sen. Mark Warner (D., Va.), said the hack drew attention to longstanding cybersecurity issues that require a federal response.

“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” Mr. Warner said. “The footholds these hackers gained into private networks—including of some of the world’s largest IT vendors—may provide opportunities for future intrusions for years to come.”

He called on Congress to consider legislative and policy proposals, such as the creation of a federal entity akin to the National Transportation Safety Board to quickly examine major breaches for systemic problems, a mandatory reporting system paired with liability protection, and enforceable international cyberspace norms akin to prohibitions against bombing ambulances in wartime.

The SolarWinds Hack

Some powerful Republicans, including Sen. Marco Rubio of Florida, the panel’s vice chairman, and Sen. John Cornyn of Texas, signaled that they were open to passing a national data breach reporting law. Such a measure has been debated in Congress for years but never passed, in part because Republicans have been wary of enacting robust mandates on businesses.

On Tuesday, senators in both parties also expressed a desire to encourage or require the private sector to share more cyber threat information with the government. Such a lack has bedeviled Congress for years despite a 2015 law intended to address shortfalls.

The SolarWinds hack, named for SolarWinds Corp., the network-management software firm whose software was one of the primary entry-points for the hackers, was one of the most significant yet to be probed by Congress. Officials have described the breach as one of the worst U.S. intelligence failures on record.

In what has widely been described as a Russian espionage operation, the hackers surreptitiously hijacked a software update of a SolarWinds tool widely used throughout the government and private sector. Many other companies and government agencies believed to have been hit by the same team of hackers hadn’t used SolarWinds software. Moscow has denied responsibility.

In his opening remarks, SolarWinds Chief Executive Officer Sudhakar Ramakrishna sought to highlight that SolarWinds appeared to be only one front of a broader espionage campaign by Russia, apparently for over a year, without detection.

From left, FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith at Tuesday’s hearing.

Photo: demetrius freeman/Agence France-Presse/Getty Images

He said SolarWinds was still investigating how the hackers first compromised the company—allowing them easy access to infiltrate SolarWinds’ customers—adding that his team had narrowed possibilities down to three, which he didn’t detail.

Brad Smith, the president of Microsoft Corp., which has confirmed that the hackers accessed its corporate network and hijacked its office products in some attacks, also said during the hearing that other supply-chain attacks appeared to be used as entry points.

He called for an investigation into what other cloud-services providers had been affected. He said that the scope of the attack was obscured because companies aren’t typically legally compelled to disclose breaches unless sensitive personal information of individuals is accessed by hackers.

“There may be other brand-name players that may have been penetrated that not have been as forthcoming…leaving policy makers and potentially customers in the dark,” Mr. Smith warned. He added that Microsoft believes that the hackers ultimately may have used “up to a dozen” different means of getting into victims’ networks over the past year—a higher estimate than previously understood.

Mr. Warner agreed that other well-known information-technology and cloud-service firms have likely been implicated and said the committee would work to ensure their “public and active participation” in the investigation into the Russian hacking operation.

A suspected Russian cyberattack of the federal government has breached at least six cabinet-level departments. WSJ’s Gerald F. Seib explains what the hack means for President-elect Joe Biden’s national security efforts. Photo illustration: Laura Kammermann (Originally published Dec. 23, 2020)

Amazon Web Services was also invited to testify but declined, said Mr. Warner. Several other senators criticized Amazon Web Services—whose infrastructure was used by the hackers to support some of their attacks—for not appearing, saying they lacked critical information from the company. Amazon didn’t respond to a request for comment.

“They have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” said Sen. Susan Collins (R., Maine). She and Sen. Ben Sasse (R., Neb.) said the panel should consider steps to compel them to participate.

Kevin Mandia, the chief executive of FireEye Inc., a cybersecurity firm that was also compromised in the SolarWinds hack and first identified the attack, said Tuesday that while the company had observed a small number of victims in Europe, Asia and the Middle East, the majority of those compromised in the attack “were government, consulting, technology and telecommunications entities in North America.”

The hackers were inside FireEye’s network for a couple of months before the firm detected them, though not consistently active, Mr. Mandia said.

The Biden administration continues to attempt to understand the full scope and severity of the hack but is looking to respond to Russia soon, officials have said.

While the intelligence community is still working to “fine-tune the attribution” for the hack to Moscow, the administration is “weeks, not months” away from retaliatory actions, White House press secretary Jen Psaki said Tuesday.

Write to Dustin Volz at dustin.volz@wsj.com

Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

__Posted on
__Categories
English