The suspected Russian hackers behind breaches of US government agencies also gained access to major US technology and accounting companies, at least one hospital and a university, according to a Wall Street Journal analysis of internet records.
The Journal identified infected computers at two dozen organizations that installed contaminated network surveillance software called SolarWinds Orion that let the hackers enter through a covertly inserted back door. It potentially gave them access to a lot of sensitive company and personal data.
Among them: technology giant Cisco Systems Inc.,
chip makers Intel Corp.
and Nvidia Corp.
, accounting firm Deloitte LLP, cloud computing software maker VMware Inc.
and Belkin International Inc., which markets Wi-Fi routers and network equipment for home and office under the LinkSys and Belkin brands. The attackers also had access to the California Department of State Hospitals and Kent State University.
The victims offer a small glimpse into the scale of the hack, which affected as many as 18,000 customers of Austin-based SolarWinds Corp. could have become entangled, the company said, after hackers littered a routine software update with malicious code.
SolarWinds said it traces the hackers’ activity back to at least October 2019 and is now working with security companies, law enforcement and intelligence agencies to investigate the attack.
Cisco confirmed that it has found the malicious software on some employee systems and a small number of lab systems. The company is still investigating. “At this time, there is no known impact on Cisco offerings or products,” said a company spokesperson.
Intel is investigating the incident and has found no evidence that the hackers used the back door to access the company’s network, a spokesman said.
Photo:
stephen nellis / Reuters
Intel downloaded and executed the malicious software, the Journal’s analysis found. The company is investigating the incident and has found no evidence that the hackers used the back door to access the company’s network, a spokesman said.
Deloitte, infected in late June according to the Journal’s analysis, said it has “taken steps to tackle the malware,” but “has seen no evidence of unauthorized access to our systems at this time.”
VMware said it had found “limited instances” of the malicious software in its systems, but its “internal investigation has revealed no evidence of exploitation,” a spokesman said.
Belkin said in an email that it immediately removed the back door after federal officials issued a warning last week. “No known adverse impact has been identified to date,” said a company spokeswoman.
The cyber attackers also had access to Kent State University.
Photo:
shannon stapleton / Reuters
A Kent State University spokeswoman said the school was “aware of the situation and is evaluating this serious issue.”
The California Department of State Hospitals installed the back door in early August, according to the Journal’s analysis. State officials are working with federal and state agencies to address the impact of the SolarWinds backdoor, according to a spokesman for California’s Governor’s Office of Emergency Services, who declined to comment on specific agencies affected.
A spokesperson for Nvidia said the company “currently has no evidence that Nvidia was adversely affected and that our investigation is still ongoing.”
The Journal collected digital clues from victims’ computers collected by Farsight Security and RiskIQ, a threat intelligence company, and then used decryption methods to identify some of the servers that downloaded the malicious code. In some cases, the analysis led to the identity of compromised organizations and showed when the code was likely activated – indicating that the hackers had access.
It is not yet known what the hackers have done within the various organizations, or whether they have even used the back doors for many companies. But researchers and security experts say that in addition to internal communications and other government secrets, hackers may have searched emails from business leaders, files about sensitive technologies in development, and other ways to compromise more systems later.
The uncertainty has left SolarWinds’ customers – including major tech companies, more than 400 Fortune 500 companies, and many government agencies – struggling to determine the consequences and whether the hackers will stay in.
The attack combined extraordinary covert craftsmanship, using cyber tools never seen in a previous attack, with a strategy that targeted a weak link in the software supply chain that all U.S. companies and government agencies rely on – an approach that security experts long fear but one that has never been used so co-ordinately on American targets.
Government agencies and cybersecurity experts are still working to bring together the massive suspected espionage operation. At least six federal agencies, including the Departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign.
The Cybersecurity and Infrastructure Security Agency released a warning last week that the hack was “serious” and ongoing. SolarWinds has released an update that shuts the back door, and Microsoft Corp.
has taken control of some of the hacker’s infrastructure to prevent the attack from spreading.
Federal investigators have concluded that the Russian government is probably partly responsible for the hack because of the skill level. Several senators who have received briefings in recent days are openly calling it a Russian operation. And on Friday, Secretary of State Mike Pompeo became the first Trump government official to publicly blame Moscow, even though President Trump on Saturday suggested in a tweet with no evidence that China could be responsible.
Moscow has denied responsibility.
“Customers are in absolute panic,” said David Kennedy, whose company, TrustedSec LLC, is investigating the hack. For many companies, the concern is whether the attackers have stolen data or go undetected within corporate networks, he said. Additionally, because the attack goes back many months, some companies may no longer have the forensic data needed to conduct a full investigation.
“If this is indeed SVR, as we think it is, those guys are incredibly difficult to kick out of networks,” said Dmitri Alperovitch, a cybersecurity expert and co-founder of the Silverado Policy Accelerator think tank, referring to Russia’s foreign intelligence agency. Maintenance.
Some organizations that keep better records of activities on their systems will likely be able to determine if someone walked through the Russian back door to their network, said Mr. Alperovitch, who was also a co-founder of cybersecurity firm CrowdStrike Holdings. Inc.
But for others, especially smaller or medium-sized businesses, it will be a difficult and expensive task that many will likely ignore – meaning Russia could remain in some networks indefinitely.
“They’re probably just going to remove the back door and move on,” Mr. Alperovitch said.
For many business victims, the looming fear is that the hackers could use them as a way to get to their customers. For example, Microsoft found in a study released Thursday that nearly half of the more than 40 customers affected in the attack were IT service companies, who often have wide access to their customers’ networks.
Microsoft, itself a SolarWinds customer, said last week that it had also detected malicious software related to the hack on its own network, but “no evidence that our systems were being used to attack others,” a spokeswoman for it said. company. The company’s investigation continues.
Write to Kevin Poulsen at [email protected], Robert McMillan at [email protected] and Dustin Volz at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8