The American technology company at the centre of the most significant cyber hack in recent history has hired the recently-fired US government cyber security chief Chris Krebs to help it deal with the fallout.
SolarWinds, the Texas-based company whose software was exploited by suspected Russian hackers to spy on governments and businesses around the world, has appointed Mr Krebs as an independent consultant.
Mr Krebs was in charge of the US cyber security agency until November, when he was fired on Twitter by outgoing president Donald Trump for challenging his claims that the election had been compromised by fraud.
He will work for SolarWinds to help co-ordinate the company’s crisis response, alongside his new business partner Alex Stamos, a Stanford University professor and Facebook’s former security chief. The pair told the Financial Times it could take years before all of the compromised systems are completely secure again.
Mr Krebs said: “This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world.
“It was just one small part of a much larger plan that’s highly sophisticated, so I would be expecting more companies that have been compromised; more techniques that we’re yet to find . . . There’s so much more to be written I think in this chapter of Russian cyber-intelligence operations.”
Investigators are scrambling to establish the full scale and scope of the ongoing campaign, with some experts suggesting that it may stretch back years.
SolarWinds said in December that 18,000 of its clients may have been exposed to the hackers, who hijacked one of their popular software products in March. The hackers are believed to have hand-selected specific targets from among those 18,000, posing as legitimate staffers in their systems to access confidential information stored in the cloud.
The company has been accused of not being sufficiently open about the scale or method of the attack — a criticism Mr Stamos tacitly acknowledged, while praising FireEye, the cyber security company which was itself a victim.
“FireEye has been extremely transparent and that’s worked out really well for them. There’s been less of that [from] the other companies involved, and that means that things are leaking out that may or may not be true,” he said.
US intelligence officials said this week that they had identified “fewer than 10” federal agencies that had been compromised. So far, the commerce, energy and justice departments have confirmed that they were victims. The hackers also spied on dozens of US Treasury email accounts and accessed the systems used by some of the department’s highest-ranking officials.
The electronic filing system used by the federal courts was also compromised, the US judiciary said on Thursday.
Last week Microsoft said in a blog post that the same hackers had accessed some of the internal source code underlying its proprietary software, although they had not modified it or accessed any customer data.
Ejecting the hackers from systems may be another battle. Mr Stamos said the attackers were likely to have embedded hidden pieces of code that would enable them to continue snooping on agencies and companies for years to come.
“The metaphor I use is the iron harvest, for Belgian and French farmers in the spring,” he said. “After the rains they go to their fields and they still find shells from world war one and world war two. That’s what it’s going to be like for a while.”
While Mr Trump has downplayed the idea that Russian hackers are to blame and even pointed the finger at China, US intelligence agencies have said that the perpetrators were “likely Russian in origin”.
Mr Krebs added that there was “zero question” in the intelligence community that Russia’s foreign intelligence service, the SVR, was responsible.
Some in Congress have called for the US to retaliate against the perpetrator as a result, but Mr Krebs said that from what was known of the attack so far it fell under the category of espionage, an assertion also made by US intelligence agencies.
“The US has signalled on the world stage, over and over again, that this kind of behaviour is actually OK, so I don’t expect that the US will respond,” Mr Krebs said.
But he added that any escalation by the hackers should prompt a “dramatic” and “proportional” response from the US government.