back to article Microsoft says it found 1,000-plus developers' fingerprints on the SolarWinds attack

Microsoft president Brad Smith said the software giant's analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Speaking on US news magazine program 60 Minutes, Smith labelled the attack "the largest and most sophisticated attack the world has ever seen." "When we …

  1. Ryba Zfrytkami

    Oh those Russians!

    ...or Chinese, or North Koreans, or Iranians, or Israelis, or GCHQ...

    Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?

    Rhetorical. I know why they do it. Sigh.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      But doesn't M$ view Open Source and its Contributors as a bigger threat than Communism?

      1. PghMike

        Re: Oh those Russians!

        Really, wake up. MSFT of 2020 is not MSFT of 1995. There's a huge amount of support for Open Source in Azure, and throughout MSFT in general. The MSFT IT department even supports MacBooks (I'm typing this on my MSFT provided MacBook, and no, it isn't running Windows) and iPhones.

        Disclaimer -- I've worked there since 2018.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh those Russians!

          Leopards, spots and corporate culture. There'll be an attempt at embrace and extend at some point. All you can say is your employer might be a bit rusty when it happens.

          1. Anonymous Coward
            Anonymous Coward

            Re: Oh those Russians!

            Exactly. They don't now because it suits them. But this might change in a day.

            I haven't forgiven IE6, or the nasty no-linux "discounts" for PC manufacturers, or the ISO bribery to get their close document format called open, or the many competitors they maneuvered to kill in a dodgy manner, or the W10 spying, or the PCs bricked after forced W10 updates, and so much more.

            Heck I haven't forgiven them for pissing all over their customers by ramming the ribbon and then the metro interfaces down their throats.

            Such disdain for your customers is deeply ingrained.

            1. Rol

              Re: Oh those Russians!

              And don't forget the 500,000 8 yard skips filled to overflowing with A4 flatbed scanners, and every other peripheral that relied on twain.

            2. This post has been deleted by its author

              1. Anonymous Coward
                Anonymous Coward

                Re: Linux *won*

                Free stuff won.

                Not anything to do with Linux or Windows, giving it away is what made LInux the "winner".

                Where "winner" means "platform exploited by Google, Amazon and many others to make themselves richer than small countries while giving nothing back."

                Well done.

                No really, well done.

                1. zuckzuckgo Silver badge

                  Re: Linux *won*

                  I would say that complex licencing practices and booby traps pushed many organizations away from proprietary solutions.

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      Why look abroad at all?

      Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?

      Exactly how easy is it to insert an extra 4000+ lines of code into a process where multiple teams are delivering "new code" with every two week "sprint"? Maybe too easy!!!

      1. veti Silver badge

        Re: Oh those Russians!

        The poor processes that created the opportunity have been widely recognised. But that doesn't diminish the interest in knowing who it was that took advantage of it.

        "Oh look, I left the door open. No point in looking for the thief, then" - said no one, ever.

        1. Muppet Boss
          Mushroom

          Re: Oh those Russians!

          >But that doesn't diminish the interest in knowing who it was that took advantage of it.

          Absolutely, and this should be investigated and the results duly presented to the public. But this interest does not give anyone rights to defame, libel or put unfounded blame on others. If Russia were an evil country, Microsoft president accusing it of criminal conduct would find himself and the company under criminal investigation and sure, Microsoft has a lot to lose in Russia.

          The funny aspect is that Russia does not mind punches from other countries and does not really respond to them, in other words, has a horrible PR department. Unlike China, where the official WHO delegation investigating coronavirus origins were denied access to the first 174 coronavirus patients and their medical history, had to accept China's assurances that no traces of _this_ coronavirus were found inside Wuhan Institute of Virology (which afaik has the world's largest collection of live coronaviruses and was in the past singled out for poor safety practices) and had to agree to stopping investigation into whether the virus could leak from the Institute's lab. That's what strongmen do.

          Anyway, as long as accusations of Russia do not result in bombing it as other countries were bombed following accusations before and Russia not retaliating with nuclear bombs, we all should be safe.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        "Isn't the hack DIRECTLY attributable to poor development processes in the organisation which was attacked?"

        From various forums, it appears that the build system was remotely accessible, either directly or via VPN with no 2FA or strong password requirements. The reason it appears to be the build server is that public statements indicate the source code and other systems were not compromised. BUT that only allowed access AND should have been discovered at some point in the ~7 months the malicious code was present. Where were the checks to make sure the build system was producing the code that was expected? That isn't an agile issue - thats a "we throw it at the build system and fix any errors, otherwise its good to ship" problem.

        And then there is the question of how 18,000 organisations (based on Solarwinds published details), many of whom had the resouces and security infrastructure in-place to detect this, managed to download the compromised code and use it and it only gets discovered by accident when a second phone number is added to a Microsoft account of a FireEye employee and a vigilant Microsoft security person questioned it.

        How did everyone miss this for so long?

        1. Muppet Boss

          Re: Oh those Russians!

          >How did everyone miss this for so long?

          The average time to detect an implant/breach/intrusion is between 3-6 months; depending on when the attack started FireEye seem to catch it well within industry norms. Solarwinds is a different matter, apparently very bad at security.

    3. Anonymous Coward
      Anonymous Coward

      Re: I know why they do it.

      Are they covering up for the fiendish machinations of that usually little known independence group, the West of Lothian Free Separatists?

      1. Anonymous Coward
        Anonymous Coward

        Re: I know why they do it.

        West of Lothian Free Separatists

        Splitters!

      2. Doctor Syntax Silver badge

        Re: I know why they do it.

        "the West of Lothian Free Separatists?"

        I question that.

        1. Anonymous Coward
          Anonymous Coward

          I question that.

          Hmm. A false-flag operation by the Lothian East Organized Peoples Alliance of Republican Democrats, then?

      3. JimboSmith Silver badge

        Re: I know why they do it.

        the West of Lothian Free Separatists?

        The Cornish National Liberation Army?

    4. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      "Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?"

      You're reading those words wrong. For 'good' read 'us*', and for 'bad' read 'them'. It's not 'good versus bad', it's 'us versus them'. The good/bad wording is just marketing spin by governments. If you were born on the other side of the planet, the marketing is flipped.

      (* for 'us' read: countries in the orbit of Uncle Sam, not Uncle Boris**?)

      (** no, not our Boris, their 'Boris').

      #onemansterrorist...

      1. rcxb Silver badge

        Re: Oh those Russians!

        There's a little bit of us vs them when it's government vs government exfiltrating secrets, but more often, there are moral judgements involved.

        Not much outcry from the West when Russians were breaking into and disrupting ISIS computer system.

        Ther would be plenty of outcry from all corners if the US Gov got caught breaking into a private company to steal trade secrets (which is China's current modus operandi).

        There have been outspoken concerns about this possibility from allies: https://en.wikipedia.org/wiki/ECHELON#Concerns

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        Why Russia. I'd love to tell you, but I signed an NDA.

    5. The Man Who Fell To Earth Silver badge
      FAIL

      Re: Oh those Russians!

      There's are reason even the Russians historically suspect their fellow Russians first.

      1. Lunatic Moonshiner

        Re: Oh those Russians!

        "I'm finished. I trust no one, not even myself."

        -- Joseph Stalin

    6. Anonymous Coward
      Anonymous Coward

      Re: Oh those Russians!

      > Why does the western media always accept the default of Russia bad, America good and always blame them accordingly?

      Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.

      1. martinusher Silver badge

        Re: Oh those Russians!

        >Because one is an open democracy, with the oversight of a free press and independent judiciary

        I'd recommend a short course in government, say by watching a few episodes of "Yes, Minister", to get a perspective about how the UK actually works. It likes to compare itself to the US but its nothing like it because the basis of freedom in the US is decentralization -- its not that our institutions work any differently but there's a lot more of them and they get in eech others' way.

        >he other is Putin's little puppet show.

        Russia is also de-centralized. I daresay its instituions are as hidebound and conseravtive as ours.

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        Which one is which?

      3. teknopaul

        Re: Oh those Russians!

        I see what you did there

      4. Muppet Boss

        Re: Oh those Russians!

        >Because one is an open democracy, with the oversight of a free press and independent judiciary, and the other is Putin's little puppet show.

        Do I understand correctly that crimes committed under the flag of democracy somehow justify themselves and the same crimes under the flag of authoritarianism cannot be forgiven?

        P.S. Could you finally close Guantanamo please, people are being illegally incarcerated there without trial for almost 20 years?

      5. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        When one has nothing to say, he types "Putin", because the name is so telling...

    7. martinusher Silver badge

      Re: Oh those Russians!

      A marvel of software engineering. Able to get 1000 developers all working as a team, producing a bug-free product to a half-decent schedule and none of the developers jump ship to a conpeting outfit (taking bits of code with them).

      Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?

      1. DS999 Silver badge

        Re: Oh those Russians!

        Who says it is bug free? It just has to work well enough to reach its goal but doing so doesn't mean there aren't bugs that make it work less well than it could have, or able to be discovered and/or have its origin discovered more easily than a completely bug free bit of software would have been.

        Probably everyone reading this owns a smartphone that undoubtedly has hundreds or perhaps even thousands of undiscovered / unfixed bugs in its code. But they make calls, browse the web, send text messages, take photos, run apps and so on more than well enough for us to use them despite those bugs.

        1. very angry man

          Re: Oh those Russians!

          Come on a bug free piece of software would have stood out like dogs watsits

      2. Anonymous Coward
        Anonymous Coward

        Re: Oh those Russians!

        "Maybe these Russians would like to develop a few other bits of softwre -- a 'track and trace' system, perhaps?"

        Reports would suggest the issue with track and trace isn't the software - the meat layer has memory capacity issues and there appears to be a significant trust issue with government staff. While health workers are significantly more trusted, demand outstrips supply and dressing people up as nurses doesn't seem to fool anybody.

    8. Marshalltown

      Re: Oh those Russians!

      I could buy perhaps the Chinese as a potential source, but NORK? Really? One of the serious problems that country has is that it discourages talent and merit. The Iranians might be a source, and they have the motives to be. But, on the balance, when you see the similarities to the Ukraine episode, the Russians are easily the best, immediate choice. They are also seriously handicapped by external sanctions that limit their ability to trade. Their agriculture has taken repeated serious hits several years in a row, and last, as a kleptocracy, their PTB are quite unhappy that their money launderer was turfed out of office before he could complete his work. China is in agricultural difficulties too (so's the US as far as that goes), but China is tremendously better off than Russia and has a vast array of legitimate overseas investments that can cover a lot of their short fall. So Russia is number one on the short list.

  2. Steve Davies 3 Silver badge

    How many of those fingerprints

    are there because of the fashion for 'cut/paste' from sites like stackoverflow.com?

    Thinking of it another way...

    How else would MS be able to fingerprint so many if it wasn't for repositories like stackoverflow?

    1. stiine Silver badge
      Facepalm

      Re: How many of those fingerprints

      Seems to me that Microsoft is one of the companies with over a 1000 developers.

      1. find users who cut cat tail

        Re: How many of those fingerprints

        Microsoft probably needs 100+ people to produce Hello world.

        1. Blazde Silver badge

          Re: How many of those fingerprints

          One code monkey to write the Hello World program and 99 to issue a steady stream of Hello World updates over several years to fix most of the critical bugs and introduce some new ones, amirite?

          1. teknopaul

            Re: How many of those fingerprints

            "4,032 lines of code were at the core of the crack."

            So Microsoft presume that over 1000 developers were involved. I can only presume that is a fair metric inside Microsoft, I knocked out 4000 lines last week myself.

    2. Anonymous Coward
      Anonymous Coward

      Re: How many of those fingerprints

      There was a reason for buying gihub: fingerprint the world's code!

      1. sreynolds
        WTF?

        Re: How many of those fingerprints

        M$ is full of shit.

    3. Anonymous Coward
      Anonymous Coward

      Re: How many of those fingerprints

      "First learn computer science and all the theory. Next develop a programming style. Then forget all that and just hack." - George Carrette

  3. TheSkunkyMonk

    Figures

    I never trust these kinds of guesses, how many times have they claimed something uncrackable only for it to be cracked that same day? *cough* Fairlight *cough*

    Mind sure they would of been using code from all over the place, pointless redesigning the wheel unless it needs todo something new.

  4. low_resolution_foxxes

    Yeah, must be those pesky furry Russians:

    "The attack used a backdoor in a SolarWinds library; when an update to SolarWinds occurred, the malicious attack would go unnoticed due to the trusted certificate. In November 2019, a security researcher notified SolarWinds that their FTP server had a weak password of "solarwinds123", warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers."

    " SolarWinds did not employ a chief information security officer and employee passwords had been posted on GitHub in 2019".

    "Insiders at the company had sold approximately $280 million in stock shortly before this became publicly known, which was months after the attack had started. A spokesperson said that those who sold the stock had not been aware of the breach at the time".

    Seriously, half the stock market, many teenage boys and any UK/Iran/Mossad/Russia/Chinese hackers would want stock market intelligence like this.

    1. Pascal Monett Silver badge

      "SolarWinds did not employ a chief information security officer"

      You don't need a 'chief information security officer'.

      You do need an admin that's doing his job properly.

      Solarwinds123 didn't even have that.

      1. low_resolution_foxxes

        Re: "SolarWinds did not employ a chief information security officer"

        It's the kind of password I would use to secure my public library book account with (hell I have probably done worse).

        But for a password dedicated to FTP distribution of sensitive files, controlling network software for major corporations.....? I'm trying to decide if that is a fireable offence.

        1. very angry man

          Re: "SolarWinds did not employ a chief information security officer"

          YES!

  5. Chris G
    Trollface

    The difference

    Between 1000 Mshaft engineers causing havoc and the perpetrators of the solar winds attack, is that the Havoc1000 approach is chaos based, whereas the solarwinds attack was highly defined,seemingly well executed and didn't appear to rely on frequent patching.

    So, maybe a hundred devs.....

  6. Peter Prof Fox
    WTF?

    ...And your lucky colour is puce.

    4.5K lines of core code and 1000 different developers identified. So supposedly a handful of lines of code is enough of a 'DNA sample' to distinguish one developer from another. How does that work? (None of them ever linted of course.) Perhaps they put their names in the in-line comments? // And a big shout-out to Vladimir Ruskyname for his trapdoor.

    1. low_resolution_foxxes

      Re: ...And your lucky colour is puce.

      Allegedly Russian hackers have contracts that specifically forbid any Russian text, jokes or cultural references being used. It wouldn't surprise me if they use American English as a distraction.

    2. tekHedd

      4500 lines of code?

      Was thinking the same thing: On the one hand, we have a fairly small program (I have larger throwaway internal utilities) written by at most two or three developers, possibly backed by a somewhat larger deployment testing team. On the other hand, we have... the fingerprint of 1000 developers?

      Pull the other one, it has 200 bells on, according to our analysis.

      1. yetanotheraoc Silver badge

        Re: 4500 lines of code?

        The really amazing bit is Microsoft being able to fingerprint a developer from 4.5 lines of code. Maybe they asked Facebook.

  7. seven of five

    Probably only 50 guys/gals

    They're just 20 times better than Micros~1 could imagine...

    Personally, I'd go with Steve Davies 3 Idea of stackoverflows copy&paste.

  8. Version 1.0 Silver badge
    Thumb Down

    2FA

    Two Factor Access at work again, it's sold as "Authentication" but it's only effective when it works. It's a permanent security risk the rest of the time.

    1. Headley_Grange Silver badge

      Re: 2FA

      Yep - security works best when it's seen as security rather than a bit of a hassle.

    2. Anonymous Coward
      Anonymous Coward

      Re: 2FA

      > that individual had two phones registered to their name

      A personal + a work phone? I have four different 2FA mechanisms for the various accounts and systems my employer uses.

  9. Anonymous Coward
    Paris Hilton

    The real takeaway

    "If anyone understands the havoc 1,000 developers can create, it’s Microsoft."

    Genius

    1. Phil Kingston
      Flame

      Re: The real takeaway

      Feel the burn

    2. eldakka

      Re: The real takeaway

      2nd best laugh I've had in months when I read that. (The best was when I was watching a video yesterday about flat earthers noting that the movement was fading (due to their videos in recent years having tiny viewership), and that the flat earthers had mostly moved to QAnon)

      1. yetanotheraoc Silver badge

        Re: The real takeaway

        I thought the flat earthers were more picky about what they choose to believe.

  10. iron Silver badge

    > Most US cyber defences look at activity beyond the nation’s borders

    Well that's stupid since my router sees twice as many attacks from US than from RU and CN combined.

    1. gratou

      Yes but they are good attacks.

      1. teknopaul

        Attacks from US ip addresses are not necessarily run by an American, you may just have a lots of ip cameras turned to bots in the states.

  11. MOH

    "Most US cyber defences look at activity beyond the nation’s borders and assume the private sector in the USA takes care of itself."

    That seems .... optimistic

    1. Michael Wojcik Silver badge

      It seems implausible to me. I'd like to see a citation.

  12. Anonymous Coward
    Anonymous Coward

    1,000 developers in the know ?

    Seems unlikely. I expect only a dozen or so, using the work of other developers.

    Definitely not a Russian hack if it was 1,000. That many would leak...I would hope.

    My betting and prejudice would be China.

    Love China hate Xi.

  13. Anonymous Coward
    Anonymous Coward

    Supply chain hack first?

    Surely when Lockheed got spearphished by their compromised outsourced HR provider, that was supply chain attack?

    Or when every MSP out there got done over to gain access to customer networks.... that's supply chain attack.

  14. amanfromMars 1 Silver badge

    No Smoking Gun ... Identifies a Phantom Enemy. There's Counselling and Medication for Paranoia

    It's not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.

    Jon Miller: I build things much more sophisticated than this. What's impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage. ..... https://www.cbsnews.com/news/solarwinds-hack-russia-cyberattack-60-minutes-2021-02-14/

    There's always at least one, isn't there, blowing their own trumpet trying to excite the markets.

    Hasn't Jon Miller heard the news ........ Self praise is no recommendation. And why is it Uncle Sam is always getting hacked by perps wonderfully adapted and adept at not leaving behind any provable incriminating evidence. It doesn't get much more sophisticated than that if one considers it a weapon.

    1. very angry man

      Re: No Smoking Gun ... Identifies a Phantom Enemy. There's Counselling and Medication for Paranoia

      so happy to see you back, don't worry you'll soon have your writing back to normal.

      “What we are seeing is the first use of this supply chain disruption tactic against the United States,”

      Murkin's been doing it to EVERYone else for years, So pissed someone pulled the bully tactic on them!

    2. amanfromMars 1 Silver badge

      Useful IDiots 'r' Us

      There's always at least one, isn't there, blowing their own trumpet trying to excite the markets.

      And then there were two, to further compound and confound and peddle confusion in aid of chaos and conflict ‽ . ........ Former spy chief calls for military cyber attacks on ransomware hackers

      What could possibly go wrong ...... apart from everything of course?

      Heaven help us from former spy chiefs, and former anythings for that matter. There's a very good reason that they be returned to the shelf and removed from the front line.

      And does the Daily Telegraph pay folk to make stuff up to pump and dump as current views and valuable news, or is it the other way around with the Telegraph being paid for spreading such tales?

  15. mevets

    Havoc

    If anyone understands the havoc that 1000 programmers can create, it is MicroSoft's customers. MicroSoft has remained blithely ignorant of it for 40+ years.

  16. This post has been deleted by its author

  17. Anonymous Coward
    Anonymous Coward

    <title>?</title>

    ...But what a shower of Anonymous Cowards commenting this very intetesting article...

    AC, because: reasons

  18. Ashto5

    1000 programmers

    The only place you see those numbers would be in India

    Methinks they doth protest too much

    It was probably a couple of guys who spotted the security hole

    And now the big boys look stupid

    Classic technique exaggerate the story to not look stupid, children do it all the time

  19. Kevin McMurtrie Silver badge

    ...assume the private sector in the USA takes care of itself

    We're doomed!

  20. Muppet Boss

    Programmer joke

    Q. How many programmers does it take to write 4'032 lines of code?

    A. 1'008 if they are versed in Quatrains.

  21. Tessier-Ashpool

    4,032 lines of code took 1,000+ developers

    That's even worse productivity than mine!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like