This article is more than 1 year old

Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack

As FireEye reveals how suspicious second phone signed up for 2FA gave the game away

Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers.

Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen."

"When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000."

If anyone understands the havoc 1,000 developers can create, it's Microsoft.

Smith didn't say who those 1,000 developers worked for, but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia (which denies involvement).

"What we are seeing is the first use of this supply chain disruption tactic against the United States," he said. "But it's not the first time we've witnessed it. The Russian government really developed this tactic in Ukraine."

President Vladimir Putin surrounded by aides and soldiers

US court system ditches electronic filing, goes paper-only for sensitive documents following SolarWinds hack


The 60 Minutes segment also featured FireEye CEO Kevin Mandia. FireEye also fell foul of the SolarWinds attack and Mandia revealed how his firm spotted the attack when an attempt at two-factor authentication raised suspicion.

"A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name," he said. "So our security employee called that person up and we asked, 'Hey, did you actually register a second device on our network?' And our employee said, 'No. It wasn't, it wasn't me.'"

That admission led to further probing and eventually to SolarWinds, then to FireEye's disclosure of Orion's compromise.

60 Minutes also dropped a little nugget of insight by revealing that 4,032 lines of code were at the core of the crack.

Others featured in the segment opined that it exploited a blind spot in US defences by running on servers hosted in America itself. Most US cyber defences look at activity beyond the nation's borders and assume the private sector in the USA takes care of itself.

Which it tried to, but the nature of this attack meant it was devilishly hard to detect. ®

More about


Send us news

Other stories you might like