Feb. 23 (UPI) -- Technology executives testified before Congress on Tuesday that the hack of computer systems used by major U.S. companies and federal institutions was of an unprecedented level of scale and sophistication.
The method for the attack on network management firm SolarWinds Corp., whose software is used by thousands of government agencies and private sector companies to administer information technology infrastructure, "exposed a significant threat to the global software supply chain at large, the company's CEO, Sudhakar Ramakrishna, testified before the Senate select committee on intelligence.
Last week, White House deputy national security adviser Anne Neuberger said investigators found that nine federal agencies and 100 companies were breached in the attack.
Kevin Mandia, CEO of cybersecurity firm FireEye, which reported the hack publicly after detecting a breach in its own network, said hackers installed malicious code into a SolarWinds software update as part of a "multi-decade campaign" on behalf of the Russian government to infiltrate U.S. businesses and government agencies.
Mandia said hackers initially inserted innocuous code in SolarWinds software updates in October 2019 to test how far the malicious code could spread before launching it in March 2020. FireEye did not discover the breach until December.
Brad Smith, president of Microsoft, said it appeared that "a thousand very skilled, capable engineers" worked on the attack, which affected the company, including granting hackers access to up to 3% of Justice Department email accounts.
"We haven't seen this level of sophistication matched with this kind of scale," he said.
Smith also explicitly named Russia as the sole culprit behind the attack after former President Donald Trump had suggested China may have been involved.
"At this stage, we've seen substantial evidence that points to the Russian foreign intelligence agency and we have found no evidence that leads us anywhere else," he said. "We'll wait for the rest of the formal steps to be taken by the government and others, but there's not a lot of suspense at this moment in terms of what we're talking about."
During the hearing, Sen. Mark Warner, D-Va., suggested regulations requiring companies to report cybersecurity breaches to the government and implementing enforceable international cyberspace norms to prevent further attacks of this scale.
"Preliminary indications suggest that the scope and scale of this incident are beyond any that we've confronted as a nation and its implications are significant," Warner, the Democratic chair of the committee, said. "The footholds these hackers gained into private networks -- including some of the world's largest IT vendors -- may provide opportunities for future intrusions for years to come."
Ramakrishna said recent SolarWinds software updates have addressed the flaw that led to the breach and that the company is committed to preventing similar attacks from occurring in the future.
"We are embracing our responsibility to be an active participant in helping to prevent these types of attacks," he said. "Everyone at SolarWinds is committed to doing so and we value the trust and confidence our customers place in us."