NOEL KING, HOST:
The Biden administration imposed more sanctions on Russia last week, citing as one reason the SolarWinds hack. This was an unusually bold breach. Hackers broke into the systems of Fortune 500 companies and federal government agencies. NPR has been piecing together how it happened. And with me now is NPR's Dina Temple-Raston. Good morning, Dina.
DINA TEMPLE-RASTON, BYLINE: Good morning.
KING: We've heard so much about cyberattacks in the past few years. How is this one different?
TEMPLE-RASTON: Well, this is different because the hackers attacked one private company in order to compromise hundreds, possibly thousands, of others. SolarWinds provides a kind of network monitoring software that lots of big companies and government agencies use. So if you successfully hack SolarWinds, you can get into all these other entities, too. That's what they mean when they talk about a supply chain attack.
KING: And so how did they manage to do this?
TEMPLE-RASTON: Well, this is all about quiet, sophisticated tradecraft. And one of the things we learned was that the hackers, who the White House had said were from Russian intelligence, created their own software update in a, like, temporary file inside of SolarWinds. And what they did is, at the last minute, they swapped out their file, which had malicious code in it, for the SolarWinds file. This is how CrowdStrike's Adam Meyers, who investigated the hack, put it. Take a listen.
ADAM MEYERS: When I was growing up, you used to have to check your Halloween candy 'cause somebody might have put a razor blade in your Reese's Peanut Butter Cup, right? But imagine those Reese's Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese's Peanut Butter Cup.
KING: OK, that is descriptive. And it means that once they got in, anyone who downloaded the software was compromised?
TEMPLE-RASTON: Well, it's a little more complicated than that. So about 18,000 SolarWinds customers downloaded this tainted software. But in order for it to work, the customers had to actually deploy the software, and they had to be connected to the Internet so that the hackers could get into their systems and communicate with their servers. So that's why they think there were about 100 top companies - like Microsoft, Cisco, Deloitte - that were actually breached, and about a dozen government agencies were infiltrated, too.
And we're not exactly sure what the hackers did. We know they read emails, but we don't know if they stole information or even changed information. What we do know is they had nine months in these systems to sort of roam around.
KING: Nine months. You landed some exclusive interviews with people who work at SolarWinds. What did they say when you asked, why were you targeted?
TEMPLE-RASTON: Well, you know, Noel, I asked the CEO of SolarWinds, Sudhakar Ramakrishna, exactly that. And he says it was because they were ubiquitous, that hackers wanted to hack one company and get into a bunch of others with just one fell swoop. Some of the company's critics, though, say they picked SolarWinds because their security wasn't up to snuff. We found some things that supported that - you know, a marketing website that was very specific about their clients, an easy password on a site where you could download some of their tools. But in the end, I think everybody we talked to agreed that this hack was so sophisticated that it would have been pretty hard for anybody to fight it.
KING: OK. And so the Biden administration has now put more sanctions on Russia. Is there anything else for the U.S. to do?
TEMPLE-RASTON: Well, the White House has said that they're responding in both seen and unseen ways. So in addition to the sanctions, we also expect there's going to be some sort of reprisal in cyberspace, like a hack-back. But we don't know exactly what that's going to be, and we probably won't know about it until long after it's already happened. In the meantime, the National Security Council is preparing another executive order, but this one, as we understand it, will be much more about the nuts and bolts of preventing and responding to attacks - things like software development standards, so someone can't sneak into your build environment and change things, like what happened in SolarWinds.
KING: Dina Temple-Raston with NPR's investigations unit. Thanks, Dina.
TEMPLE-RASTON: You're welcome. Transcript provided by NPR, Copyright NPR.