Suspected Russian cyber attack said to have struck 200 organisations

Of the roughly 18,000 SolarWinds customers who received the infected update, more than 1,000 experienced the malicious code ping through a so-called second stage "command and control" server operated by hackers, giving them the option to hack further
Of the roughly 18,000 SolarWinds customers who received the infected update, more than 1,000 experienced the malicious code ping through a so-called second stage "command and control" server operated by hackers, giving them the option to hack further into the network.PHOTO: EPA-EFE

At least 200 organisations, including government agencies and companies around the world, have been hacked as part of a suspected Russian cyber attack that implanted malicious code in a widely used software program, said a cyber-security firm and three people familiar with the investigations.

The number of actual hacking victims has been one of many unanswered questions surrounding the cyber attack, which used a backdoor in SolarWinds' Orion network management software as a staging ground for further attacks.

As many as 18,000 SolarWinds customers received a malicious update that included the backdoor, but the number of them that were actually hacked - meaning the attackers used the backdoor to infiltrate computer networks - is likely to be far lower.

Recorded Future, a cyber-security firm based in Massachusetts, has identified 198 victims that were hacked using the SolarWinds backdoor, said threat analyst Allan Liska.

Three other people said the inquiry so far has determined that the hackers further compromised at least 200 victims, moving within the computer networks or attempting to gain user credentials - what cyber-security experts call "hands on keyboard" activity.

The final number could rise from there. Neither Recorded Future nor the people familiar with the inquiry provided the identities of the victims.

The number is expected to grow as the wide-ranging investigation continues. The hackers' motive remains unknown, and it is not clear what they reviewed or stole from the computer networks they infiltrated.

Of the roughly 18,000 SolarWinds customers who received the infected update, more than 1,000 experienced the malicious code ping through a so-called second stage "command and control" server operated by hackers, giving them the option to hack further into the network, according to publicly available data and the three people. Command and control servers are used by hackers to manage malicious code once it is inside a target network.

More than 1,000 investigators have so far determined that at least 200 customers were further hacked. The next step would be for the hackers themselves to infiltrate the computer network.

A SolarWinds spokesman said the firm "remains focused on collaborating with customers and experts to share information and work to better understand this issue".

"It remains early days of the investigation," the spokesman said.

Hackers affiliated with the Russian government have been suspected from the start, and United States Secretary of State Mike Pompeo last Friday provided confirmation in an interview.

"There was a significant effort to use a piece of third-party software to essentially embed code inside of US government systems and, it now appears, systems of private companies and governments across the world as well," he said in a radio interview. "This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity."

On Saturday, Senate Intelligence Committee acting chairman Marco Rubio said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history".

Russia has denied involvement.

A top US cyber-security agency issued an alert last Thursday saying the hackers posed a "grave risk" to federal, state and local governments, as well as critical infrastructure and the private sector.

The US Cybersecurity and Infrastructure Security Agency said the attackers were patient, well resourced, and "demonstrated sophistication and complex tradecraft".

It also said it had found evidence of other potential backdoors besides the SolarWinds Orion platform, suggesting there could be entirely different batches of potential victims who have not yet been identified.

Microsoft said last Thursday that 40 of its customers had been hacked, the attacks were ongoing, and the number of victims is expected to increase.

Among those hit were unnamed cyber-security companies, government agencies and government contractors, roughly 80 per cent of which are in the US.

Cyber-security company FireEye was the first victim to disclose that it had been hacked, on Dec 8. It said that while investigating its own breach, researchers at the company discovered the SolarWinds backdoor.

Microsoft said it found the malicious SolarWinds update within its network, but that it found no evidence of access to "production services or customer data".

BLOOMBERG

A version of this article appeared in the print edition of The Straits Times on December 22, 2020, with the headline 'Suspected Russian cyber attack said to have struck 200 organisations'. Subscribe