The Russian state-backed operatives responsible for the SolarWinds attack may have numbered more than 1000, Microsoft president Brad Smith has claimed.
Speaking to the CBS 60 Minutes program over the weekend, Smith argued that the campaign, which targeted multiple US government departments and private cybersecurity companies, was “the largest and most sophisticated attack the world has ever seen.”
Only around 4000 of the millions of lines of code in the SolarWinds Orion update were rewritten to help the attackers achieve their ends, but this took a tremendous amount of manpower, he added.
“Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged,” Smith continued.
“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks, and the answer we came to was, well, certainly more than 1000.”
When asked how, with all the resources Microsoft had to hand, the tech giant still managed to miss the presence of these attackers, Smith claimed that attackers usually have an “asymmetric advantage” at this level.
The program also shed some further light on how security vendor FireEye first discovered it was compromised.
“Just like everybody working from home, we have two-factor authentication. A code pops up on our phone. We have to type in that code. Then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name,” explained CEO Kevin Mandia.
“So our security employee called that person up and we asked, ‘Hey, did you actually register a second device on our network?’ Our employee said, ‘No. It wasn’t, it wasn’t me.’”
This effectively lifted the lid on the whole operation, as FireEye engineers started to dig into the attack and unearthed what turned out to be a widespread state-backed cyber-espionage campaign.