AGL 38.02 Increased By ▲ 0.08 (0.21%)
AIRLINK 197.36 Increased By ▲ 3.45 (1.78%)
BOP 9.54 Increased By ▲ 0.22 (2.36%)
CNERGY 5.91 Increased By ▲ 0.07 (1.2%)
DCL 8.82 Increased By ▲ 0.14 (1.61%)
DFML 35.74 Decreased By ▼ -0.72 (-1.97%)
DGKC 96.86 Increased By ▲ 4.32 (4.67%)
FCCL 35.25 Increased By ▲ 1.28 (3.77%)
FFBL 88.94 Increased By ▲ 6.64 (8.07%)
FFL 13.17 Increased By ▲ 0.42 (3.29%)
HUBC 127.55 Increased By ▲ 6.94 (5.75%)
HUMNL 13.50 Decreased By ▼ -0.10 (-0.74%)
KEL 5.32 Increased By ▲ 0.10 (1.92%)
KOSM 7.00 Increased By ▲ 0.48 (7.36%)
MLCF 44.70 Increased By ▲ 2.59 (6.15%)
NBP 61.42 Increased By ▲ 1.61 (2.69%)
OGDC 214.67 Increased By ▲ 3.50 (1.66%)
PAEL 38.79 Increased By ▲ 1.21 (3.22%)
PIBTL 8.25 Increased By ▲ 0.18 (2.23%)
PPL 193.08 Increased By ▲ 2.76 (1.45%)
PRL 38.66 Increased By ▲ 0.49 (1.28%)
PTC 25.80 Increased By ▲ 2.35 (10.02%)
SEARL 103.60 Increased By ▲ 5.66 (5.78%)
TELE 8.30 Increased By ▲ 0.08 (0.97%)
TOMCL 35.00 Decreased By ▼ -0.03 (-0.09%)
TPLP 13.30 Decreased By ▼ -0.25 (-1.85%)
TREET 22.16 Decreased By ▼ -0.57 (-2.51%)
TRG 55.59 Increased By ▲ 2.72 (5.14%)
UNITY 32.97 Increased By ▲ 0.01 (0.03%)
WTL 1.60 Increased By ▲ 0.08 (5.26%)
BR100 11,727 Increased By 342.7 (3.01%)
BR30 36,377 Increased By 1165.1 (3.31%)
KSE100 109,513 Increased By 3238.2 (3.05%)
KSE30 34,513 Increased By 1160.1 (3.48%)

WASHINGTON: The stunning SolarWinds hack that cybersecurity experts blame on Russia likely took a massive, disciplined effort by more than 1,000 software engineers, Microsoft President Brad Smith said Tuesday.

Smith told a hearing of the Senate Intelligence Committee that no other body but Russian intelligence has the ability to muster such an effort, which he branded "reckless" in the breadth of its threat to the globe.

Microsoft, one of more than 100 companies attacked and 18,000 left vulnerable by the hack, analyzed the work it took to insert malware into widely used security software created by SolarWinds.

"We asked ourselves how many engineers do we believe had worked on this collective effort. And the answer we came to was... at least 1,000, very skilled, capable engineers.

"We haven't seen this kind of sophistication matched with this kind of scale," he said.

Smith compared previous hacks from Russian- and other government-backed groups to a burglar breaking into a single apartment.

The SolarWinds incident was different, he said: it was like a burglar who "manages to turn off the alarm system for every home and every building in the entire city."

"Everybody's safety is put at risk. And that is what we're grappling with here," he said.

The hack was discovered by computer security firm FireEye in December after it had sat on computers around the world.

Among US government agencies penetrated were the National Security Agency, the State Department, Commerce Department and the Treasury.

The Washington Post reported Tuesday that the Biden administration was studying options to Punish Moscow for the hack and for other "malign" activity.

Last week Anne Neuberger, the senior White House cybersecurity advisor, said her team was looking "holistically" at retaliation.

"This isn't the only case of malicious cyber activity of likely Russian origin, either for us or for our allies and partners," she said.

In the Senate hearing, FireEye chief executive Kevin Mandia described the hack as the culmination of a "multi-decade" effort by the attackers.

He said it took thousands of hours for his staff to discover the bug, and only after tearing apart and decompiling thousands of files on a SolarWinds server.

"This was not the first place you look, this was the last place you look for an insertion," he said.

Sudhakar Ramakrishna, the chief executive of SolarWinds, said that after months the company still has not found how the hackers managed to implant malware in the middle of the software supply chain -- at the point when completed code is being tailored to downstream users' configurations.

"We understand the gravity of the situation," he said.

While currently companies can voluntarily report to the cybersecurity officials of the Department of Homeland Security, some suggested a legal requirement that they do so, to catch future threats early.

"It seems to me that there should be an obligation of some sort on the part of a victim of a cyber attack like this to share what they know, what they've learned, with the appropriate authorities," said Senator John Cornyn.

"There's got to be a way for folks who are responding to breaches to share data quickly to protect the nation, protect industries," said Mandia.

Comments

Comments are closed.