Government agencies and companies are on high alert as at least 200 organizations have been hacked as part of a suspected Russian cyber-attack, said a cybersecurity firm and three people familiar with ongoing investigations. Malicious code has been implanted in a widely used software program.
The cyber-attack used a backdoor in SolarWinds Corp.’s Orion network management software as a starting point for further attacks. One of the unanswered questions surrounding the hack is the number of actual hacking victims.
The malicious update was received by around 18,000 SolarWinds customers but the hacked computer networks are likely to be far fewer.
Threat analyst Allan Liska has said that a cybersecurity firm based in Massachusetts, Recorded Future Inc., has identified 198 hacking victims through the SolarWinds backdoor. Three other people who are familiar with the ongoing investigations said that the hackers further compromised at least 200 victims, moving within the computer networks or attempting to gain user credentials while the final number could rise from there. Neither of the sources provided any information about the victims or the motive of the hackers.
More than 1,000 of the roughly 18,000 receivers of the malicious update experienced the code ping a so-called second stage “command and control” server operated by hackers, providing them with the possibility to hack further into the network, according to publicly available data and the three people. The next step for the hackers would be to themselves infiltrate the computer network.
According to Bloomberg, a SolarWinds spokesperson said the company “remains focused on collaborating with customers and experts to share information and work to better understand this issue.”
“It remains early days of the investigation,” the spokesperson added.
A suspicion was there from the start about the involvement of hackers affiliated with the Russian government and Secretary of State Michael Pompeo on Friday provided confirmation in an interview.
“There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
President Donald Trump downplayed the hack via a tweet and suggested that China, not Russia, might be responsible. Meanwhile, the acting chairman of the Senate Intelligence Committee, Marco Rubio, added that it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the attackers have “demonstrated sophistication and complex tradecraft,” and it also said it had found evidence of other potential backdoors besides the SolarWinds Orion network.
FireEye Inc. disclosed on December 8 that they were hacked and Microsoft Corp. said on Thursday that 40 of its customers had been hacked. Among those hit by the cyber-attacks were unnamed cybersecurity companies, government contractors and agencies, roughly 80% of which are in the U.S.
