Still more questions than answers on SolarWinds attack

At a Feb. 26 hearing on the hack linked to vulnerabilities in SolarWinds' IT management software, members of Congress learned the hackers were particular about what they were looking for.

According to information shared by Rep. Jim Langevin (D-R.I.), about 77 individual email accounts were accessed in the hack -- quite a small number when compared to the total number of accounts across the thousands of organizations that installed compromised SolarWinds' code.

"I think that was indicative of the stealthy practices that this actor tends to deploy, namely, to take great care to be very discreet," Microsoft President Brad Smith said.

“The damage assessment's going to be based on the content of the emails," FireEye CEO Kevin Mandia said. "How that information is intended to be used -- we don’t know. That's the problem. We have to get our arms around all the content, and all the potential use and misuse of all that content."

SolarWinds CEO Sudhakar Ramakrishna, said his company is closer to understanding how the malware was injected into updates for its Orion IT management software product.

They're focused on three possibilities, he said. One is the password spraying; the next, credential theft, and the third is through a vulnerability in third-party software used by the company in their on-premise infrastructure.

"Just like other companies on this witness stand, we use a lot of third-party software as well, and we are looking at it in those three dimensions at this point. We are evaluating several petabytes of data to be able to sift through this in the hopes that we can pinpoint patient zero in this context," Ramakrishna.

Witnesses told lawmakers that once hackers were in a network, they were able to take advantage of lapses in basic cybersecurity practices to expand their reach. It’s likely they were able to access Justice Department accounts using methods like stealing passwords, Smith said.

Some lawmakers also asked questions about threat hunting, the practice of proactively looking for cyber threats in a network.

The ability for the Cybersecurity and Information Security Agency to conduct threat hunting on federal agency networks, as provided by the 2021 National Defense Authorization Act, is "exactly the right thing to do," Mandia said.

Rep. Gerry Connolly (D-Va.) asked how the federal government can support private companies that threat hunt on federal networks.

The most important step will be centralized cyber breach reporting, Smith told him, as well as sharing information back out to the private sector. The area will need more legislation, he said.

One hurdle Congress will also need to address is the ways that agencies restrict contractors from sharing their cybersecurity information about what they are seeing with other parts of the federal government.

"One of the specific things that we had to do in December was go to each agency, tell them that we had identified that they were a victim of this and then we had to say, 'You need to go over to this person in the other part of the government to let them know. Please do that, we cannot do that for you,'" Smith explained.

"Some of the largest companies in our industry, that are well-known to have been involved in this that still have not spoken publicly about what they know," Smith said.  "There's no indication that they even informed customers. And I'm worried that … to some degree some other companies, some of our competitors even, just didn't look very hard."

To address that gap, Rep. Michael McCaul (R-Texas) announced that he and Langevin are working on a bill that would establish CISA as a kind of clearinghouse for breach notification. By removing sources, methods and company names from reporting data, the legislation would protect companies from market repercussions, McCaul said.

This article was first posted to FCW, a sibling site to Defense Systems.