SolarWinds Executives Defend Conduct Before US Senate

Senior executives have appeared before a US Senate panel looking at the damaging SolarWindows supply chain hack last year.

Top executives at Texas-based SolarWinds, as well as senior officials from Microsoft, FireEye and CrowdStrike appeared before the US Senate’s Select Committee on Intelligence on Tuesday, Reuters reported.

The US Senate panel began the hearing however by criticising Amazon, who they said had been invited to testify and whose servers were used to launch the cyberattack, for declining to attend the hearing.

Solarwinds compromise

“I think they have an obligation to cooperate with this inquiry, and I hope they will voluntarily do so,” Senator Susan Collins, a Republican was quoted as saying. “If they don’t, I think we should look at next steps.”

The senior executives that did attend however reportedly defended their conduct and sought to shift blame elsewhere.

The SolarWinds supply chain attack was a very serious development last year, as it resulted in the compromise of a number of US government federal agencies.

The hackers inserted backdoor code into SolarWinds’ Orion platform in March of 2020 (or possibly earlier) and used this to access the systems of at least half-a-dozen US federal agencies, as well as potentially thousands of private firms before the attack was discovered in December 2020.

Widespread impact

The scale of the US government compromise is still being investigated, but just before Christmas US Senator Ron Wyden revealed that dozens of email accounts at the US Treasury Department had been compromised.

The hack is now believed to have compromised approximately 100 US companies and nine federal agencies.

A number of leading tech firms and security firms such as Microsoft and FireEye were also caught up in the compromise.

Microsoft admitted that the SolarWinds hackers had actually accessed and viewed source code repositories within Redmond.

Microsoft had previously disclosed that it, like thousands of other companies, made internal use of the software used in the attack, SolarWinds’ Orion network management software.

In January multiple US intelligence agencies declared that Russia was the likely culprit of the damaging SolarWinds supply chain compromise.

Senate hearing

During the appearance before the US Senate’s Select Committee on Intelligence, multiple executives called for greater transparency and information-sharing about breaches.

The executives also reportedly called for liability protections, and a system that does not punish those who come forward, similar to airline disaster investigations.

Microsoft President Brad Smith and others told the panel that the true scope of the latest intrusions is still unknown, because most victims are not legally required to disclose attacks unless they involve sensitive information about individuals.

Besides Redmond’s Brad Smith, the CEO of security firm FireEye, Kevin Mandia, whose company was the first to discover the hackers, also appeared before the panel, as did the CEO of SolarWinds Sudhakar Ramakrishna.

It was SolarWinds software that was hijacked by a nation state to break in to a host of other organisations.

CrowdStrike chief executive George Kurtz, also attended, as his company helped SolarWinds recover from the breach.

Microsoft said it notified 60 customers of SolarWinds breach.

“It’s imperative for the nation that we encourage and sometimes even require better information-sharing about cyberattacks,” Brad Smith was quoted by Reuters as saying.

Smith said many techniques used by the hackers have not come to light and that “the attacker may have used up to a dozen different means of getting into victim networks during the past year.”

Microsoft criticised

Microsoft disclosed last week that the hackers had been able to read the company’s closely guarded source code for how its programs authenticate users.

In CrowdStrike’s case, hackers used a third-party vendor of Microsoft software, which had access to CrowdStrike systems, and tried but failed to get into the company’s email.

According to Reuters, CrowdStrike’s Kurtz turned the blame on Microsoft for its complicated architecture, which he called “antiquated.”

“The threat actor took advantage of systemic weaknesses in the Windows authentication architecture, allowing it to move laterally within the network” and reach the cloud environment while bypassing multifactor authentication, Kurtz’s prepared statement said.

Where Smith appealed for government help in providing remedial instruction for cloud users, Kurtz said Microsoft should look to its own house and fix problems with its widely used Active Directory and Azure.

“Should Microsoft address the authentication architecture limitations around Active Directory and Azure Active Directory, or shift to a different methodology entirely, a considerable threat vector would be completely eliminated from one of the world’s most widely used authentication platforms,” Kurtz said.

Alex Stamos, a former Facebook and Yahoo security chief now consulting for SolarWinds, agreed with Microsoft that customers who split their resources between their own premises and Microsoft’s cloud are especially at risk, since skilled hackers can move back and forth, and should move wholly to the cloud.

But he reportedly added in an interview, “It’s also too hard to run (cloud software) Azure ID securely, and the complexity of the product creates many opportunities for attackers to escalate privileges or hide access.”