Inside the response to the massive Russian SolarWinds hack
Seizing upon a flaw in software from SolarWinds, Russian hackers spent months leisurely probing the computer systems of dozens of businesses and government agencies. By contrast, when the intrusion was detected, tech companies and government agencies had to scramble to close the hole, assess damage and try to learn techniques to block future attacks.
Between the lines: Fresh details on how Microsoft, SolarWinds, GoDaddy and various government agencies managed the response to last winter's massive security failure are included in an update to a book co-authored by Microsoft president and longtime top lawyer Brad Smith.
Among the revelations:
- Microsoft convened urgent meetings spearheaded by CEO Satya Nadella designed to make sure that all of the company's top security organizations were focused on the effort.
- The company also mobilized more than 500 workers to respond to the SolarWinds attack.
- The Russian attackers used a server at GoDaddy to establish separate backdoors into the different victims. However, that common server also had a "kill switch" that, once discovered, could be used to halt the spread of the attack. That work was carried out, in part, by transferring the server in question from GoDaddy to Microsoft.
The big picture: In the book's new sections, Smith writes that SolarWinds represented more than cyber-espionage as usual, but wasn't a full-on act of cyber-war, either.
- Rather, Smith writes, it was a "moment of reckoning" that showed just how much unfinished work remains to be done to set global rules and norms for how technology can be used by nation-states to attack one another.
What's next: The SolarWinds attack offered a variety of lessons for preventing future attacks. Many of Smith's recommendations are standard best practices: using cloud-based systems (or at least fully patched on-premises servers), requiring multi-factor authentication and adopting a "zero trust" approach.
- More interesting is what Smith says is lacking in the broader security ecosystem, especially when it comes to communication between business and government as well as among different businesses.
- The U.S. government itself fails to sufficiently share data on cybersecurity threats, according to Smith: "Repeatedly in late 2020 we found people in federal agencies asking us about information in other parts of the government, because it was easier to get it from us than directly from other federal employees."
- "It's impossible to avoid the grave conclusion that the sharing of cybersecurity threat intelligence today is even more challenged than it was for terrorist threats before 9/11," Smith writes.
Of note: Microsoft was both investigator and victim in the SolarWinds attack. At the same time it was trying to help customers evaluate and minimize damage, the company was also trying to assess how much information the attackers had gained by accessing Microsoft's own servers and viewing company source code.
The latest: The paperback edition of "Tools and Weapons" goes on sale today, with three new chapters, including the one on the SolarWinds response.
- Meanwhile, the Russian hackers behind the SolarWinds attack have launched new attacks this year.
Go deeper: The long tail of the SolarWinds breach