The White House team leading the investigation into the SolarWinds hack is worried that the breach of 100 US companies has the potential to make the initial compromise a headache in future.
Anne Neuberger, deputy national security advisor for Cyber and Emerging Technology at the White House, said in a press briefing that nine government agencies were breached while many of the 100 private sector US organizations that were breached were technology companies.
“Many of the private sector compromises are technology companies including networks of companies whose products could be used to launch additional intrusions,” said Neuberger, a former director of cybersecurity at the National Security Agency.
SEE: Network security policy (TechRepublic Premium)
Attackers that the US says are of “likely Russian origin” had compromised the software build system of US software vendor SolarWinds and planted the Sunburst backdoor in its widely used Orion product for monitoring enterprise networks.
That 100 private sector firms were breached in the attack paints a different picture to what was known in December, when Microsoft and FireEye, that were both breached, disclosed the attack.
At that stage there were eight federal agencies confirmed to have been breached, including the US Treasury Department, the Department of Homeland Security, the US Department of State, the US Department of Energy, and the National Nuclear Security Administration.
However, back then Microsoft and FireEye were the two most significant private sector companies known to have been compromised by the tainted Orion update (the Orion updates weren’t the only way that companies were infiltrated during the campaign, which also involved the hackers gaining access to cloud applications).
“When there is a compromise of this scope and scale both across government and across the US technology sector to lead to follow-on intrusions, it is more than a single incident of espionage. It’s fundamentally of concern for the ability of this to become disruptive,” Neuberger explained during questioning.
She stressed that the attackers were “advanced” because the “level of knowledge they showed about the technology and the way they compromised it truly was sophisticated.”
“As a country we chose to have both privacy and security, so the intelligence community largely has no visibility into private sector networks. The hackers launched the hack from inside the United States, which further made it difficult for the US government to observe their activities,” she said.
Microsoft president Brad Smith told 60 Minutes last week that it was “probably fair to say that this is the largest and most sophisticated attack the world has ever seen.”
SEE: How do we stop cyber weapons from getting out of control?
Smith previously said the attackers “used a technique that has put at risk the technology supply chain for the broader economy.”
“We believe it took [the attackers] months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer,” said Neuberger.
Neuberger said she expected the investigation, as well as identification and remediation of affected networks, would take months but not years to complete.