SolarWinds, Microsoft, FireEye, CrowdStrike defend actions in major hack
- U.S. Senate hearing
Send a link to a friend
 [February 24, 2021] By
Raphael Satter and Joseph Menn
WASHINGTON (Reuters) - Top executives at
Texas-based software company SolarWinds Corp, Microsoft Corp and
cybersecurity firms FireEye Inc and CrowdStrike Holdings Inc defended
their conduct in breaches blamed on Russian hackers and sought to shift
responsibility elsewhere in testimony to a U.S. Senate panel on Tuesday.
One of the worst hacks yet discovered had an impact on all four.
SolarWinds and Microsoft programs were used to attack others and the
hack struck at about 100 U.S. companies and nine federal agencies.
Lawmakers started the hearing by criticizing Amazon representatives, who
they said were invited to testify and whose servers were used to launch
the cyberattack, for declining to attend the hearing.
"I think they have an obligation to cooperate with this inquiry, and I
hope they will voluntarily do so," said Senator Susan Collins, a
Republican. "If they don't, I think we should look at next steps."
The executives argued for greater transparency and information-sharing
about breaches, with liability protections and a system that does not
punish those who come forward, similar to airline disaster
investigations.
Microsoft President Brad Smith and others told the U.S. Senate's Select
Committee on Intelligence that the true scope of the latest intrusions
is still unknown, because most victims are not legally required to
disclose attacks unless they involve sensitive information about
individuals.
Also testifying were FireEye Chief Executive Kevin Mandia, whose company
was the first to discover the hackers, SolarWinds Chief Executive
Sudhakar Ramakrishna, whose company's software was hijacked by the spies
to break in to a host of other organizations, and CrowdStrike Chief
Executive George Kurtz, whose company is helping SolarWinds recover from
the breach.
"It's imperative for the nation that we encourage and sometimes even
require better information-sharing about cyberattacks," Smith said.
Smith said many techniques used by the hackers have not come to light
and that “the attacker may have used up to a dozen different means of
getting into victim networks during the past year."
Microsoft disclosed last week that the hackers had been able to read the
company's closely guarded source code for how its programs authenticate
users. At many of the victims, the hackers manipulated those programs to
access new areas inside their targets.
[to top of second column] |
FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and
Microsoft President Brad Smith speak with each other before the
start of a Senate Intelligence Committee hearing on Capitol Hill, in
Washington, D.C., U.S., February 23, 2021. Drew Angerer/Pool via
REUTERS
Smith stressed that such movement was not due to programming errors on
Microsoft's part but on poor configurations and other controls on the customer's
part, including cases "where the keys to the safe and the car were left out in
the open."
In CrowdStrike’s case, hackers used a third-party vendor of Microsoft software,
which had access to CrowdStrike systems, and tried but failed to get into the
company’s email.
CrowdStrike's Kurtz turned the blame on Microsoft for its complicated
architecture, which he called “antiquated.”
“The threat actor took advantage of systemic weaknesses in the Windows
authentication architecture, allowing it to move laterally within the network"
and reach the cloud environment while bypassing multifactor authentication,
Kurtz’s prepared statement said.
Where Smith appealed for government help in providing remedial instruction for
cloud users, Kurtz said Microsoft should look to its own house and fix problems
with its widely used Active Directory and Azure.
“Should Microsoft address the authentication architecture limitations around
Active Directory and Azure Active Directory, or shift to a different methodology
entirely, a considerable threat vector would be completely eliminated from one
of the world’s most widely used authentication platforms,” Kurtz said.
Alex Stamos, a former Facebook and Yahoo security chief now consulting for
SolarWinds, agreed with Microsoft that customers who split their resources
between their own premises and Microsoft's cloud are especially at risk, since
skilled hackers can move back and forth, and should move wholly to the cloud.
But he added in an interview, "It's also too hard to run (cloud software) Azure
ID securely, and the complexity of the product creates many opportunities for
attackers to escalate privileges or hide access."
(Reporting by Joseph Menn in San Francisco and Raphael Satter in Washington;
Editing by Matthew Lewis and Grant McCool)
[© 2021 Thomson Reuters. All rights
reserved.] Copyright 2021 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
