The March 2020 attack by Russian cyber soldiers using advanced malware that was delivered indiscriminately to 18,000 private and U.S. government computer networks via a software security update – including the agency that protects and transports the U.S. nuclear arsenal – is being called the largest, most sophisticated software hack ever by the president of tech giant Microsoft. The company’s president, Brad Smith, appears in Bill Whitaker’s investigation into the unprecedented cyberattack on the next edition of 60 Minutes, Sunday, February 14 at 7 p.m. ET/PT on CBS.
The attack was hidden deep inside an update for SolarWinds Orion, a piece of advanced information technology software used by organizations worldwide to connect, manage and monitor their computer networks. To date, no one is sure how the hackers got into SolarWinds, or if it is the only vector of attack. One of the victims is Microsoft, where an intruder gained access to the source code for some Microsoft products. How did Microsoft miss this? “I think that when you look at the sophistication of this attacker, there’s an asymmetric advantage for somebody playing offense,” Smith says. And the attackers had huge resources he says. “When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.”
“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith tells Whitaker.
“One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it. What this attacker did was identify network management software from a company called SolarWinds. They installed malware into an update for a SolarWinds product. When that update went out to 18,000 organizations around the world, so did this malware,” says the Microsoft president.
The attack, attributed by the U.S. government to Russia, was detected by FireEye, a cybersecurity firm that unravelled the mystery and alerted the world, after losing some of its own proprietary data. But detection doesn’t mean the attack is over. “It’s still ongoing,” says Jon Miller, the CEO of Boldend, a company that designs and sells “next generation” cyber weapons to the Department of Defense and U.S. intelligence agencies. “New companies are getting breached. We’ll see new companies breached today that weren’t breached this morning. Where it’s different in a lot of ways is normally when you catch someone in the act, they stop. That’s not the case with this breach,” says Miller.
He says the Russians have demonstrated they are able to compromise supply chains, manipulate data, and affect the functionality of software on devices commonly used today, such as phones, laptops, and tablets. “Whether it’s financial data, source code, the functionality of these products. They can take control.” He says they could destroy whole networks if they wanted to. “The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code,” Miller says.
The Russians evidently spent months inside the computers of U.S. government agencies accessing email traffic. In addition to the National Nuclear Security Administration, the departments of Justice, Commerce, Treasury, Energy, and the NIH were all affected. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyberattacks on government agencies, but the Russians outsmarted it. They were able to launch their attacks from servers set up anonymously in the U.S. without fear of detection because the National Security Agency is prohibited by law from surveilling America’s private sector computer networks.
“That winds up making it more difficult for us,” says Chris Inglis, a former deputy director of the National Security Agency, who sits on the Cyberspace Solarium Commission and advocates for a public private partnership to promote cybersecurity. He says extricating the Russian cyber spies from the government’s systems takes years. Even then, he says, “The only way you’ll have absolute confidence that you’ve gotten rid of it is to get rid of the hardware, to get rid of the systems,” he tells Whitaker.