Microsoft and FireEye have revealed new details on the infamous SolarWinds cyberattack used to spread a virus to 18,000 government and corporate computer networks.
This past December, cybersecurity experts first warned of major global active exploits against the SolarWinds Orion Platform software versions via a Sunburst backdoor and supply chain attack.
FireEye confirmed the major attack in a threat research report and attributed the “global intrusion campaign” to bad actors dubbed UNC2452. Moreover, Microsoft later discovered Solorigate malware was also used in related SolarWinds attacks.
In a 60 Minutes interview on Sunday, Brad Smith, President of Microsoft said the company had assigned 500 engineers to perform a detailed investigation into the SolarWinds hack.
According to Smith, the investigation revealed that “certainly more than 1,000” developers worked on the SolarWinds malicious code and cyberattack. Smith further explained the SolarWinds attack “is the largest and most sophisticated attack the world has ever seen.” Moreover, he warned that the attacks are likely still ongoing.
“One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it,” Smith explained.
“When that update went out to 18,000 organizations around the world, so did this malware.”
In addition, Kevin Mandia of security firm FireEye, explained to 60 Minutes reporter Bill Whitaker how they first discovered the attack on their own network. FireEye previously confirmed they had also used SolarWinds to manage certain devices on their own networks.
This past November, FireEye received a security alert of an employee logging in remotely to the network using two-factor authentication (2FA). In most cases, 2FA requires an employee to register their phone to receive a one time password or token to login to the network.
However, in this case, the FireEye security team noticed the user had two phones registered to their name. After the team called the individual, they soon confirmed only one phone was registered.
After the suspicious alert, FireEye later found the hackers had impersonated certain employees and then used those credentials to steal FireEye’s security tools for testing against cybersecurity defenses.
“Turn every rock over. Look in every machine and find any trace of suspicious activity,” Mandia told 60 Minutes.
FireEye soon thereafter discovered the malware was embedded inside SolarWinds and warned the world of the attack on December 13.
“I can tell you this, if we didn’t do investigations for a living, we wouldn’t have found this. It takes a very special skill set to reverse engineer a whole platform that’s written by bad guys to never be found,” Mandia explained.