Investigators have revealed the massive suspected Russian cyber attack that preyed on government agencies and blue-chip businesses may be far greater than first realized, as a third of victims had not even installed the software previously thought to have been used to carry out the ‘Pearl Harbor of hacks’.
Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency which is investigating the attack, said a staggering 30 percent of federal agencies and private firms now known to have been breached had no direct connection to SolarWinds.
Several victims had already fallen foul to the attack long before SolarWinds even deployed its network management software Orion which was corrupted by the highly sophisticated hackers.
Wales said there is evidence hackers used Microsoft’s cloud software as a way into some systems, sparking fears that millions of individuals, businesses and government agencies may have been vulnerable to the attack.
In late December, the nation’s top security agencies including the FBI and the Pentagon were rocked by an unprecedented breach when it emerged SolarWinds had been hacked.
The attackers, which US intelligence officials have since said were ‘likely’ from Russia‘s SVR foreign intelligence service, used Orion as an open door to break into the computer systems of users.
The attack began as far back as October 2019 leaving Moscow free rein to explore the networks of government agencies, private companies and think-tanks for months.
Investigators have revealed the massive suspected Russian cyber attack that preyed on government agencies and blue-chip businesses may be far greater than first realized, as a third of victims had not even installed SolarWinds
But it has now emerged the attack may have affected far more than the 18,000 customers using SolarWinds software.
Wales told the Wall Street Journal investigators have concrete evidence that hackers broke in using other systems besides SolarWinds gaining access to their targets ‘in a variety of ways’.
‘This adversary has been creative. It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign,’ he said.
Instead, Wales said hackers exploited known bugs in software products, guessed passwords and took advantage of issues in the configuration of Microsoft’s cloud software.
Once inside the cloud-computing account, attackers were then able to leapfrog to other accounts and trick systems into gaining access to emails and documents in the cloud.
Last week, cyber security firm Malwarebytes said it had been hacked and revealed it does not use any SolarWinds software.
The firm said hackers had instead broken into its internal emails by abusing access to Microsoft Office 365 and Azure software.
Another security firm CrowdStrike, which is also not a SolarWinds customer, also said hackers had tried unsuccessfully to access its email through a Microsoft reseller.
Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency (above), said a staggering 30 percent of federal agencies and private firms now known to have been breached had no direct connection to SolarWinds
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
Department of State
Department of Homeland Security
National Institutes of Health
Department of Energy
National Nuclear Security Administration
Los Alamos National Laboratory
Federal Energy Regulatory Commission
Office of Secure Transportation
John Lambert, the manager of Microsoft’s Threat Intelligence Center, told the Journal ‘this is certainly one of the most sophisticated actors that we have ever tracked in terms of their approach, their discipline and range of techniques that they have.’
So far, investigators have not identified any cloud software other than Microsoft’s targeted in the attack or any other tech company other than SolarWinds used to infiltrate other systems, Wales told the Journal.
Microsoft announced at the end of December that the perpetrators behind the massive cyber attack had broke into its own internal network and accessed some of its source code.
The source code – the underlying set of instructions that run a piece of software or operating system – is typically among a technology company’s most closely guarded secrets.
The revelation also went beyond previous announcements that Microsoft had just detected malicious SolarWinds software in its systems and removed it.
However, the company did say at the time it had found no evidence that the hackers had accessed its production services or customer data or that its systems were used to attack others.
A source told the Journal SolarWinds is carrying out its own investigation into the possibility that Microsoft’s cloud software was the initial entry point into its own network.
At present, the true scope of the breach is still not fully known but Wales said it was ‘substantially more significant’ than the Cloud Hopper attack – where eight of the world’s biggest technology service providers were hacked by Chinese spies.
Wales said the probe continues to show the hack was to enable spies to carry out ‘long-term intelligence collection’.
‘When you compromise an agency’s authentication infrastructure, there is a lot of damage you could do,’ he said.
Wales said there is evidence hackers used Microsoft’s cloud software as a way into some systems, sparking fears millions may have been vulnerable
The number of government agencies and private businesses affected is still not known.
Last month, intelligence officials said an estimated 18,000 organizations were affected by malicious code that piggybacked on the SolarWinds software.
Of those customers, though, ‘a much smaller number has been compromised by follow-on activity on their systems,’ they said.
So far investigators had found less than 10 US government agencies whose systems were compromised.
CISA has not disclosed which agencies were affected but some have admitted they were targets, including the State Department, Commerce Department, Treasury, Homeland Security Department, Defense Department, and the National Institutes of Health.
Meanwhile, Wales told the Journal the number of private-sector firms so far identified as victims was well under 100.
US intelligence officials have publicly blamed Russia for the attack.
In his first phone call with Russian President Vladimir Putin as the 46th president of the United States, Joe Biden brought up the hack among ‘other matters of concern’.
A handful of federal government agencies have officially confirmed having been affected, including the U.S. Treasury Department (above), the Commerce Department, and the Department of Energy
‘President Biden made clear that the United States will act firmly in defense of its national interests in response to actions by Russia that harm us or our allies,’ the White House said in a statement.
Earlier in January, all four US intelligence agencies the FBI, Directorate of National Intelligence, the National Security Agency and Cybersecurity and Infrastructure Security Agency issued a statement saying Russia was ‘likely’ behind the attack.
Their investigation ‘indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,’ they said.
The agencies said they believe the hack was ‘an intelligence gathering effort’.
‘We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,’ the statement said.
Both Secretary of State Mike Pompeo and then-Attorney General Bill Barr had previously pointed to Moscow as the culprit.
But then-President Donald Trump, who repeatedly refused to criticize Putin, dismissed Russia’s involvement instead trying to pin the blame on China.
Russia has denied all involvement.
In his first phone call with Russian President Vladimir Putin as the 46th president of the United States, Joe Biden brought up the hack among ‘other matters of concern’
Donald Trump (pictured with Putin) previously dismissed Russia’s involvement instead trying to pin the blame on China despite all four US intelligence agencies saying Moscow was responsible