Alleged Russian hackers behind breaches of U.S. government agencies also accessed major U.S. technology and accounting firms, at least one hospital and a university, according to an analysis of Wall Internet records Street Journal.
The Journal identified infected computers in two dozen organizations that installed contaminated network control software called SolarWinds Orion that allowed hackers to enter through a backdoor inserted covertly. It gave them potential access to very sensitive personal and corporate data.
Among them: technology giant Cisco Systems Inc.,
intel chip manufacturers Corp.
and Nvidia Corp.
, accounting firm Deloitte LLP, manufacturer of cloud computing software VMware Inc.
and Belkin International Inc., which sells home and office Wi-Fi routers and networking equipment under the LinkSys and Belkin brands. The attackers also had access to the California Department of State Hospitals and Kent State University.
The victims offer a small window into the scope of the hacking, which could have captured up to 18,000 customers of Austin-based SolarWinds Corp. the company said, after hackers had updated the software with malicious code.
SolarWinds said it was tracking hacker activity until at least October 2019 and is now working with security companies, law enforcement and intelligence agencies to investigate the attack.
Cisco confirmed that it found the malware on some employee systems and a small number of lab systems. The company is still investigating. “At this time, no impact is known on Cisco’s offerings or products,” a company spokesman said.
Intel is investigating the incident and has found no evidence that hackers used the back door to access the company’s network, a spokesman said.
Photo:
stephen nellis / Reuters
Intel downloaded and ran the malware, according to the newspaper’s analysis. The company is investigating the incident and has found no evidence that hackers used the back door to access the company’s network, a spokesman said.
Deloitte, infected in late June according to the newspaper’s analysis, said it “has taken steps to fix” the malware but has not “observed any signs of unauthorized access to our systems at this time.”
VMware said it found “limited cases” of malware on its systems, but its “internal investigation has not revealed any evidence of exploitation,” a spokesman said.
Belkin said in an email that he removed the back door immediately after federal officials issued an alert last week. “No negative impact has been known so far,” a company spokeswoman said.
Cyberattackers also had access to Kent State University.
Photo:
shannon stapleton / Reuters
A spokeswoman for Kent State University said the school “was aware of the situation and is assessing this serious matter”.
According to the Journal’s analysis, the California Department of State Hospitals installed the back door in early August. State officials are working with state and federal agencies to address the impact of SolarWinds’ back door, according to a spokesman for the California Governor’s Office of Emergency Services, which declined to comment on specific agencies affected.
An Nvidia spokesman said the company “has no evidence at this time that Nvidia has been adversely affected and that our investigation is ongoing.”
The Journal collected digital clues from victims ’computers collected by the threat intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some of the servers that downloaded the malicious code. In some cases, the analysis led to the identities of compromised organizations and showed when the code was probably activated, indicating that hackers had access to it.
It is not yet known what the hackers did to the different organizations or whether they even used the back doors for many of the companies. But researchers and security experts say that in addition to internal communications and other government secrets, hackers may have searched for emails from corporate executives, files on sensitive technologies in development, and other ways to compromise more systems later.
Uncertainty has left SolarWinds customers – which include major technology companies, more than 400 Fortune 500 companies and many government agencies – looking to determine the consequences and whether hackers remain inside.
The attack combined an extraordinarily stealthy commercial vessel, using cyber tools never seen before in a previous attack, with a strategy that focused on a weak link in the software supply chain that all companies and institutions rely on. U.S. government, an approach that security experts have long feared but has never been used on U.S. targets in such a concerted manner.
Government agencies and cybersecurity experts continue to work to reconcile the massive suspicion of espionage. At least six federal agencies, including the Departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign.
Last week, the Cyber Security and Infrastructure Agency issued an alert saying the hacking was “serious” and continued. SolarWinds has released an update that closes the back door and Microsoft Corp.
has taken control of part of the hackers’ infrastructure to prevent the spread of the attack.
Federal investigators have concluded that the Russian government is likely to be responsible for the hacking in part because of the skill level it entails. Several senators who have received briefings in recent days have openly referred to this Russian operation. And on Friday, Secretary of State Mike Pompeo became the first Trump administration official to publicly blame Moscow, although President Trump in a tweet on Saturday suggested without proof that China could be the person in charge.
Moscow has denied its responsibility.
“Customers are definitely freaking out,” said David Kennedy, whose company, TrustedSec LLC, is investigating the hack. For many companies, the concern is whether the attackers stole data or are not detected on corporate networks, he said. What’s more, as the attack dates back many months, some companies may no longer have the forensic data needed to conduct a full investigation.
“If this is really SVR, as we believe it is, these guys are incredibly hard to do outside of networking,” said Dmitri Alperovitch, a cybersecurity expert and co-founder of think tank Silverado Policy Accelerator, referring to intelligence Russian foreign alliance. Service.
Some organizations that maintain better records of activity in their systems will likely be able to determine if someone went through the Russian back door to their networks, said Alperovitch, who also co-founded cybersecurity firm CrowdStrike Holdings Inc.
But for others, especially smaller or medium-sized companies, it will be a difficult and costly task that many will ignore, meaning Russia could maintain a presence on some networks indefinitely.
“They’ll probably just pull back the door and move on,” Alperovitch said.
For many corporate victims, the approaching fear now is that hackers could use them as a way to reach their customers. For example, Microsoft found in a survey published Thursday that nearly half of the more than 40 customers affected by the attack were information technology service companies, which often have wide access to their customers’ networks.
Microsoft, itself a SolarWinds client, said last week that it had also detected malware-related software hacking into its own network, but “there is no evidence that our systems were used to attack others,” said one company spokesman. The company’s investigation continues.
Write to Kevin Poulsen to [email protected], Robert McMillan to [email protected] and Dustin Volz to [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8