Smith said: “I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen."
And he added: "When we analysed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1000.”
If you can’t provide those important details, if you can’t back up the number with data, is it really a number you want to be quoted on? Is it a number worth printing?— Runa Sandvik (@runasand) February 15, 2021
A number of researchers chimed in with their comments on this claim, with former Tor Project member Runa Sandvik tweeting: "Saying 1000 engineers worked on the attack is like saying 1000 journalists worked on today’s front page story. Details like org structure, roles and responsibilities matter."
1,000 CNO capability developers hard at work: pic.twitter.com/usXfUA88AT— Joe Słowik ⛄ (@jfslowik) February 16, 2021
On 31 December, Microsoft announced that the attackers had accessed its source code, but brushed it away by saying: "At Microsoft, we have an inner source approach — the use of open source software development best practices and an open source-like culture — to making source code viewable within Microsoft." No mention was made of what source code had been accessed.
Folks outside of tech might not appreciate how insanely huge a "1000 engineer" team is, but for reference, Windows itself is in the order of 4000-5000 engineers.— Pwn All The Things (@pwnallthethings) February 15, 2021
On 13 January, email security provider Mimecast issued a statement saying a certificate it used for its Microsoft 365 connection had been compromised.
The same day, attackers who claimed to be behind the attacks started offering stolen Windows source code for sale.
Also remember that these were government engineers (or government contractors), so there was extra bureaucracy involved to make things super efficient. https://t.co/uZIFGIvfq3— Jake Williams (@MalwareJake) February 15, 2021
A day later, a small Israeli firm, Cycode, poked a big hole in Microsoft's argument, pointing out that the lack of timing and detail in Microsoft's announcement about its source code being accessed could only mean that this was bad news.
And this company's vice-president of marketing, Andrew Fife, had some sober words to offer, saying his firm was rooting for Microsoft. "Not only is it the right thing to do, but what other choice do any of us really have? The consequences of a widespread Microsoft supply chain attack could necessitate an Internet 'shelter in place order'. We hope this is the final chapter of Microsoft's breach, but we fear it may have been reconnaissance for the next bigger operation."
Every time you repeat the "the SolariGate operation required 1000 software engineers" lie, Microsoft sells another Defender ATP license.— Jake Williams (@MalwareJake) February 16, 2021
Since then, there has been silence about the attack, even though it is now more than two months since FireEye first told the world that its Red Team tools had been stolen. Five days after that announcement, details of SolarWinds involvement, through a compromise of the update chain for its Orion network management software, were revealed by FireEye.
Just because it takes 1,000+ engineers to ship a piece of crap like Teams or to make a Chromium variant doesn't mean you need that large a dev shop to create a CNE capability. #MirrorImagingBias— Joe Słowik ⛄ (@jfslowik) February 15, 2021
It's surprising that there has been no definitive claim about who was behind the attacks as yet. The bog standard accusation of Russia being behind it all has been flung about by the usual scaremongers, but such people — like Ellen Nakashima of The Washington Post — are known for making flaky claims.
This has led to speculation that Microsoft's software is much more at the centre of the the hack, apart from being the host operating system for Orion.
It is well known that many US Government software packages, even in sensitive areas like Defence, still run on ancient versions of Windows like XP. Given that, and the overwhelming preponderance of Windows in businesses and also homes, and its less-than-stellar security record, Redmond's involvement in this supply chain attack could well end up being much bigger than we know at present.