Federal cybersecurity officials did not know about the SolarWinds hack until a private cybersecurity company identified it, raising concerns that the U.S. government may have never independently discovered the intrusion, according to a new assessment by the Senate Select Committee on Intelligence.
The hack of SolarWinds network management software compromised nine federal agencies and 100 companies. The intrusion could have been more widespread, potentially exposing 18,000 other businesses and government offices.
At an intelligence committee hearing Tuesday, Chairman Mark Warner, Virginia Democrat, said that one of the most concerning aspects of the hack was that “it was not detected by the multibillion-dollar U.S. government cybersecurity enterprise or anyone else” until the private firm FireEye announced its findings.
FireEye CEO Kevin Mandia told lawmakers that the breach was portable to other systems because the hackers got involved in the build process and didn’t just insert malware.
“We’re referring to it as the SolarWinds campaign, but it’s a little bit broader than that,” Mr. Mandia said. “Whoever this threat actor is, and we all pretty much know who it is, this has been a multidecade campaign for them, they just so happened to, in 2020, create a backdoor SolarWinds implant.”
The U.S. government has identified Russia as the likely culprit in the attack, which officials said was on a previously unseen scale.
“Preliminary indications suggest that the scope and scale of this incident are beyond any that we’ve confronted as a nation, and its implications are significant,” Mr. Warner said. “Even though what we’ve seen so far indicates this was carried out as an espionage campaign targeting 100 or so companies and government agencies, the reality is that the hackers responsible have gained access to thousands of companies and the ability to carry out far more destructive operations if they wanted to.”
The committee’s top Republican, Sen. Marco Rubio of Florida, said the hack could have continued unfettered without FireEye’s actions.
“Based on what we know, to include what government has stated publicly, the actor seems to have undertaken follow-on operations against a very small subset of the 18,000 networks to which they potentially had access,” he said.
Mr. Warner noted that while most of the affected systems seem to have been victimized through SolarWinds’ software, some victims did not use SolarWinds tools.
He said “other brand names” may have been vulnerable to the same hacking incident and he criticized Amazon Web Services for rejecting the intelligence committee’s invitation to appear but noted that Amazon had provided some information to the committee. Amazon did not respond to a request for comment.
SolarWinds CEO Sudhakar Ramakrishna, who took the helm of the company after the disclosure of the hack, pledged to keep the government informed of his company’s investigation of the hack and vulnerabilities in the software.
“While our products and customers were the subjects of this unfortunate and reckless operation, we take our obligation very seriously to work tirelessly to understand it better, to help our customers, and to be transparent with our learnings with our industry colleagues and the government,” Mr. Ramakrishna said.
The federal government is still forming a response to the cyberattack. President Biden proposed $9 billion in new cybersecurity spending as part of a $1.9 trillion coronavirus relief package.
Sen. Ron Wyden, Oregon Democrat, raised doubts that new spending on cybersecurity could solve the problems.
“The impression that the American people might get from this hearing is that the hackers are such formidable adversaries that there was nothing that the American government or our biggest tech companies could have done to protect themselves; my view is that message leads to privacy-violating laws and billions of more taxpayer funds for cybersecurity,” he said.
• Ryan Lovelace can be reached at rlovelace@washingtontimes.com.
Please read our comment policy before commenting.