The number of private sector companies that fell victim to the SolarWinds attack is now around 100, according to U.S. officials who gave a briefing on the large-scale sophisticated supply chain attack that used popular IT management software as an initial access.
In a White House briefing Wednesday, Anne Neuberger, the deputy national security advisor for cyber and emerging technology in the Biden Administration, told reporters that about 100 private sector companies and nine federal U.S. agencies were compromised by alleged Russian hackers who inserted a backdoor via malicious code in a spring 2020 update of the SolarWinds Orion platform.
According to Neuberger, many of the private sector companies are technology companies who make products that could be used to launch additional attacks.
However, Neuberger echoed a common sentiment of the IT and cybersecurity industry: what we know is probably just the tip of the iceberg.
“So due to the sophistication of the techniques that were used, we believe we’re in the beginning stages of understanding the scope and scale, and we may find additional compromises, particularly given the technology companies that were compromised,” Neuberger said, adding that officials haven’t ruled out the possibility of additional supply chain compromises stemming from the attack.
The investigation, she said, could take several months or longer.
“This is a sophisticated actor who did their best to hide their tracks,” Neuberger said. “We believe it took them months to plan and execute this compromise. It’ll take us some time to uncover this, layer by layer.”
The briefing comes shortly after Microsoft President Brad Smith said in an interview that the attack is the largest and most sophisticated cyber intrusion in history.
In an interview with “60 Minutes,” Smith said Microsoft security experts have deduced that more than 1,000 engineers were behind the attack.
Microsoft itself was a victim of the attack, but the company has so far only disclosed that intruders viewed internal source code and did not access customer data.
However, cybersecurity firm FireEye – also the company that first discovered the attack – has said the attackers stole its tools that are used to test customer network defenses.
Other tech firms that have said they were targeted include CrowdStrike, Malwarebytes, Palo Alto networks, Mimecast and others.
In the U.S. government, victims include the Treasury Department, Department of Homeland Security, Department of State, Department of Energy and the Justice Department, among others.