LONDON (Reuters) – Alleged Russian hackers gain access to the systems of a U.S. Internet provider and an Arizona county government as part of an extensive cyberespionage campaign released this week, according to a analysis of publicly available web logs.
The hacking, which hijacked the ubiquitous network management software manufactured by SolarWinds Corp to engage a number of U.S. government agencies and was first reported by Reuters, is one of the largest ever discovered and has sent security teams around the world struggling to contain the damage.
Intrusions into the networks of Cox Communications and the local government of Pima County, Arizona, show that along with the victims, including the U.S. Department of Defense, State, and Homeland Security, hackers also spied on organizations with less projection.
A Cox Communications spokesman said the company worked “all day” with the help of external security experts to investigate the consequences of the SolarWinds commitment. “The security of the services we offer is a priority,” he said.
In comments sent to Reuters by email, Pima County Information Director Dan Hunt said his team had followed U.S. government advice to immediately withdraw SolarWinds software offline after discovering the hack. He said investigators had found no evidence of a new offense.
Reuters identified the victims by executing a coding script released Friday by investigators at Moscow-based cybersecurity firm Kaspersky to decrypt online web logs left by attackers.
The web log type, known as CNAME, includes a unique identifier encoded for each victim and shows which of the thousands of “backdoors” available to hackers chose to open, Kaspersky researcher Igor Kuznetsov said.
“Most of the time these back doors just sleep,” he said. “But that’s where the real hack begins.”
CNAME records related to Cox Communications and Pima County were included in a list of technical information published here by the American cybersecurity firm FireEye Inc., which was the first victim to discover and reveal that it had been hacked. .
John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decode CNAME records published by FireEye and found that they were connected to Cox Communications and Pima County.
Records show that the back doors of Cox Communications and Pima County were activated in June and July this year, the peak of piracy activity identified so far by investigators.
It is unclear what information, if any, was compromised.
SolarWinds, which on Monday revealed its involuntary role at the center of global hacking, said as many as 18,000 users of its Orion software downloaded a compromised update that contained malicious code planted by attackers.
As the consequences continued to storm Washington on Thursday, with a confirmed breach in the U.S. Department of Energy, U.S. officials warned that hackers had used other methods of attack and urged organizations not to assume they were protected. if they did not use recent versions of SolarWinds Software.
Microsoft, which was one of thousands of companies to receive the malicious update, said it had now notified more than 40 customers whose networks were infiltrated by hackers.
About 30 of those clients were in the United States, he said, with the rest of the victims found in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates. The most worked information technology companies, as well as some think tanks and government organizations.
“It is certain that the number and location of the victims will continue to grow,” Microsoft President Brad Smith said in a blog post here.
“The installation of this malware created an opportunity for attackers to track and choose from these customers the organizations they wanted to attack, which they seem to have done in a narrower, more focused way.”
Jack Stubbs Reports; Editing by Chris Sanders and Edward Tobin