SolarWinds hackers will return through whatever opening they find, cyber-CEO tells Senate

The hackers who launched the massive SolarWinds computer data breach that included U.S. government systems have put their "pencils down" for now, but will return through whatever doorway they can find, a cybersecurity executive told members of a Senate committee.

"They will always have other ways," Kevin Mandia, the CEO of FireEye cybersecurity firm, said this week in a hearing before the Senate Select Intelligence Committee. "If they broke in yesterday via SolarWinds, and we patched that and fixed it — and we have — tomorrow they're going to have something else."

Mandia made his comments while appearing alongside three other witnesses Feb. 24 as the Senate sought to understand how hackers broke into SolarWinds and major American computer networks, and for months lurked undetected. Intelligence and cyber experts believe that the hackers were Russian government agents.

The attack was revealed in December, after target companies discovered they had been breached. The attack came in the form of a secret virus that was unleashed through an innocent-seeming system update. The virus spread for some nine months, and is believed to have infected files at the U.S. Departments of Justice, State, Treasury, Energy, and Commerce. 

In the Feb. 23 Senate hearing, cyber executives recapped for lawmakers their experiences and recommendations regarding the hack. The panelists included SolarWinds CEO Sudhakar Ramakrishna, Microsoft President Brad Smith, FireEye CEO Kevin Mandia, and CrowdStrike President and CEO George Kurtz. Representatives from Amazon declined to appear at the hearing, senators said, although the company's servers were in part used during the hack.

While the witnesses urged Congress to pass a national notification law for when companies find that they are breached, senators seemed particularly attentive when panelists discussed details of the attacks themselves.

Microsoft's Brad Smith said that his company's investigators are convinced that "at least 1,000 very skilled, very capable engineers" took part in the SolarWinds hack. "This is the largest and most sophisticated sort of operation that we have seen," Smith said.

FireEye's Mandia described how his company first realized it had been breached — and how it came to realize that it was dealing with "an attack by a nation with top-tier offensive capabilities." 

The first sign of intrusion came in November, when an alert showed that an employee had registered a second phone number to receive two-factor identification codes. The employee, though, did not register the additional phone number. "This signaled to us that an unknown third party had accessed our network without proper authorization," Mandia said.

Although cyber attacks are common, Mandia said, this one was different.

"The attackers tailored their capabilities specifically to target and attack our company (and their other victims)," he said. "They operated clandestinely, using methods that counter security tools and forensic examination."

The attackers worked with "constraint and focus," Mandia said, pursuing specific targets as if on assignment. "They did not perform actions that were indiscriminate, and they did not appear to go on 'fishing expeditions.'"

Although Mandia did not identify who launched the hack, he told senators that the intruders were state sponsored spies.

"Such focused targeting, combined with the novel combination of techniques not witnessed by us or our partners in the past, contributed to our conclusion that this was a foreign intelligence actor," he said. 

The White House on Tuesday signaled that President Joe Biden has discussed the hack with Russian President Vladimir Putin.

"We have asked the intelligence community to do further work to sharpen the attribution that the previous administration made about precisely how the hack occurred, what the extent of the damage is, and what the scope and scale of the intrusion is," White House Press Secretary Jen Psaki told reporters on Feb. 23. "And we're still in the process of working that through now."

The administration will respond to the hack, she added, "but it will be weeks, not months, before we respond," and the response will come "at a time and a manner of our choosing." 

The cyber-CEO's, meanwhile, are focused on preventing or catching future intrusions.

The hackers are quiet for now because they've been caught, Mandia said. The lull will be short-lived, he noted. "The reality is, they're going to come back."