Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say

About a third of the victims were not driving

SolarWinds Corp.

SWI 0.24%.

According to investigators and the government agency that investigated the incident, the software was initially considered a primary attack channel for hackers. This revelation fuels fears that the episode exploited vulnerabilities in enterprise software used by millions of people every day.


What changes do you think the U.S. government and U.S. companies need to make to protect data? Join the discussion below.

Hackers involved in the attack infiltrated these systems by exploiting known vulnerabilities in the software, guessing online passwords and exploiting various problems.

Microsoft Corporation

MSFT -2.92%.

According to the researchers, the cloud management software is implemented.

About 30 percent of the private and public victims associated with the campaign have no direct link to SolarWinds, Brandon Wales, acting director of the Cyber Security and Infrastructure Security Agency, said in an interview.

The attackers gained access to their targets in several ways. That opponent has been creative, said Wales, whose office, part of the U.S. Department of Homeland Security, is coordinating the government’s response. It is absolutely true that this campaign should not be considered a SolarWinds campaign.

Brandon Wales, acting director of the Cyber and Infrastructure Security Agency, at a Senate subcommittee hearing in December.


Rod Lamkey – Cnp/Zuma Click

Researchers at the company come to the same conclusion. IT security firm Malwarebytes Inc. announced last week that some of its cloud-based Microsoft email accounts had been compromised by the same attackers who targeted SolarWinds, via what Malwarebytes calls another intrusion vector. Hackers used Malwarebytes to break into a Microsoft Office 365 account and exploit a loophole in the software’s configuration to gain access to additional email accounts, Malwarebytes said. The company claims it does not use SolarWinds software.

The incident demonstrated how sophisticated attackers can move from one cloud computing account to another by exploiting little-known idiosyncrasies of the software authentication methods used by Microsoft, researchers said. In many cases, SolarWinds hackers used configuration issues known to Microsoft to manipulate systems in a way that allowed them to access email and documents stored in the cloud.

An alleged Russian cyber attack against the federal government targeted at least six ministries. Gerald F. Seib of the WSJ explains what repression means for President Joe Biden’s national security efforts. Photographic illustration: Laura Kammermann (Originally published on 23 December 2020)

SolarWinds itself is investigating whether the Microsoft cloud was the initial access point for hackers to its network, according to a person familiar with SolarWinds’ investigation, who said this was one of many theories being pursued.

We continue to work closely with law enforcement and intelligence agencies to investigate the scope of this unprecedented attack, a SolarWinds spokesperson said in an email.

They are certainly one of the most sophisticated players we have ever followed in terms of their approach, discipline and breadth of techniques, said John Lambert, director of Microsoft’s Threat Intelligence Center.

In December, Microsoft said hackers targeting SolarWinds had gained access to the company’s network and accessed the software’s internal source code, which security experts said was a security flaw but not a disaster. At the time, Microsoft said it had found no evidence that our systems were being used to attack other people.

How do I know if Zoom or Slack is not next, and what should I do?

– Director of Malicious Baba Marcin Kleczynski

It will take months or longer for piracy to fully unravel, and it raises questions about the trust many companies have in their technology partners. The US government publicly blames Russia, but that country denies any responsibility.

Data breaches have also undermined some of the cornerstones of modern business computing, with companies and government agencies relying on numerous software vendors to run remote software in the cloud or access their own networks to deliver updates that improve performance and security.

Companies and government agencies must now ask themselves to what extent they can really trust the people who make the software they use.

Malwarebytes relies on 100 software vendors, said Marcin Kleczynski, CEO of the security company. How do I know if Zoom or Slack are not next, and what should I do? Are we going to develop our own software?

The CEO of Malicious Profits, Marcin Kleczynski, in 2014.


Gary Reyes/TNS/Zuma Press

The attack came to light in December when security experts discovered that hackers had built a backdoor into SolarWinds software updates called Orion, which was widely used within the federal government and a range of Fortune 500 companies. The scale and sophistication of the attack surprised investigators almost at the start of their investigation.

SolarWinds stated that it tracked the hacking activity until at least September 2019 and that the attack gave the attackers a digital backdoor to 18,000 SolarWinds customers.

An official from the Welsh Cyber Security and Infrastructure Protection Agency said some victims had been compromised before SolarWinds installed the corrupt Orion software about a year ago.

Hacker attacks on solar power plants and cybersecurity

The ministries involved are Finance, Justice, Commerce, State, Homeland Security, Labor and Energy. In some cases, hackers have gained access to the emails of senior government officials, officials said. So far, dozens of private sector entities have also been identified as affected by the attack, Wales said, adding that the total number is well under 100.

Researchers tracked SolarWinds’ activities and identified the tools, online resources and methods used by hackers. Some US intelligence analysts have concluded that the group has ties to Russia’s foreign intelligence service, the SVR.

Mr Wales said his agency knew nothing about cloud software except that Microsoft was being targeted. He stated that investigators have not identified any other technology companies whose products have been compromised in a way that would allow them to infect other companies in the same way as SolarWinds.

Attempts to attack Microsoft software in the cloud show how hard hackers are trying to steal sensitive data. Microsoft is the world’s largest provider of business software, and its systems are used by many companies and government agencies.

There are many, many different ways to enter the cloud, he said.

Dmitri Alperovich,

Executive chairman of the Silverado Policy Accelerator, a think tank on cyber security. With many companies moving to the Microsoft 365 cloud in recent years, this has become a prime target, he said.

Another security company that doesn’t use SolarWinds software,

CrowdStrike Inc,

CRWD 1.56%.

The same attackers unsuccessfully tried to read his emails by taking control of an account used by the Microsoft reseller he worked with. The hackers then attempted to access CrowdStrike’s emails through this account.

In December, Microsoft informed CrowdStrike and Malwarebytes that hackers from SolarWinds were targeting them. At that time, Microsoft claimed to have identified more than 40 customers who were attacked. That number has risen since then, said a person familiar with Microsoft’s thinking.

When the SolarWinds hack was first discovered, current and former national security officials quickly concluded that it was one of the worst security breaches in history – an intelligence coup that went undetected for months or more, allowing suspected Russian spies to access internal emails and other files from various government agencies.

As investigators learned more about the extent of the piracy and its reach beyond SolarWinds, officials and lawmakers began to speak about it in even more frightening terms. Last week, the president

Joe Biden

has instructed the Director of National Intelligence

April Haynes,

Launch an investigation into Russian aggression against the United States, including the hacking of SolarWinds.

This could be the largest cyber invasion in the history of the world, Senator Jack Reed, a Democrat, said earlier this month during the hearing on Haynes’ confirmation.

April Haynes during her hearing before the Senate Intelligence Committee earlier this month.


Joe Redl – Pool via Cnp/Zuma Press

Wales said the hacking operation was much larger than the previous hacking operation against cloud computing providers, known as Cloud Hopper, which was linked to the Chinese government and widely regarded as one of the largest corporate espionage attacks. According to Wales, the hackers involved in the campaign were able to compromise the basic infrastructure of victims in both the public and private sectors in a way that disgraced them.

According to the government, investigators still believe the main goal of the hacking campaign is to gather information by spying on federal agencies and high-value corporate networks, or to compromise other technology companies whose access could lead to subsequent attacks.

We maintain that this is an espionage campaign designed to gather intelligence in the long term, Wales said. This suggests that if you compromise an agency’s authentication infrastructure, you can do a lot of damage.

-To learn more about WSJ Technology’s analysis, reviews, tips and headlines, subscribe to our weekly newsletter.

Email Robert McMillan at [email protected] and Dustin Volz at [email protected].

Copyright ©2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

Related Tags:

suspected russian hack extends beyond solarwindssuspected russian hack extends solarwinds softwaresuspected russian extends far beyond solarwindssuspected russian extends far solarwinds softwaresuspected russian hack far beyond solarwindssuspected russian extends far solarwinds investigatorssuspected hack extends far beyond solarwindssuspected extends far beyond solarwinds software

You May Also Like