WASHINGTON—Technology executives who responded to the hack of federal government computer systems by suspected Russian agents told senators Tuesday th
WASHINGTON—Technology executives who responded to the hack of federal government computer systems by suspected Russian agents told senators Tuesday the attack was likely wider, more complex, and harder to trace than had previously been known.
The executives said the attack, which officials have said compromised at least 9 federal agencies and around 100 private companies, revealed systemic vulnerabilities in the software supply chain that all U.S. businesses and government institutions rely on.
Among other entry-points since discovered, the hackers broke into the software build environment that network management firm SolarWinds Corp. uses to push updates to its customers. The method “exposed a significant threat to the global software supply chain at large,” SolarWinds Chief Executive Officer Sudhakar Ramakrishna testified in written remarks.
The hearing before the Senate Intelligence Committee was the first since the so-called SolarWinds hack was discovered in December. That hack is one of the most significant yet to be probed by Congress, and officials have said is one of the worst U.S. intelligence failures on record. Previous headline breaches in recent years, such as those at the Office of Personnel Management, Equifax Inc. and a spate of retail hacks at stores like Target Corp. , prompted hearings but generally haven’t spurred Congress to pass substantive cybersecurity legislation.
The attack, which has widely been described as a Russian espionage operation, surreptitiously hijacked a software update of a SolarWinds network-management tool that is used widely throughout the government and private sector. Many other companies and government agencies—roughly about 30%—are believed to have been hit by the same team of hackers hadn’t used SolarWinds software. Moscow has denied responsibility.