LONDON (Reuters) – According to an analysis of publicly available web records, suspected Russian hackers have gained access to the systems of a US ISP and a provincial government in Arizona as part of an extensive cyber espionage campaign revealed this week.
The hack, which hijacked SolarWinds Corp’s ubiquitous network management software to endanger many U.S. government agencies and was first reported by Reuters, is one of the largest ever discovered and has sent security teams around the world to limit the damage.
The network break-ins at Cox Communications and the local government in Pima County, Arizona, show that in addition to victims, including the US Departments of Defense, State and Homeland Security, the hackers spied less high-profile organizations.
A spokesman for Cox Communications said the company was working “around the clock” with the help of outside security experts to investigate the implications of the SolarWinds compromise. “The security of the services we provide is a top priority,” he said.
In responses emailed to Reuters, Pima County Chief Information Officer Dan Hunt said his team had followed the US government’s advice to take the SolarWinds software offline immediately after the hack was discovered. He said investigators had found no evidence of a new infringement.
Reuters identified the victims by running an encryption script released here Friday by researchers from Moscow-based cybersecurity firm Kaspersky to decrypt online web records left by the attackers.
The web record type, known as a CNAME, contains an encrypted unique identifier for each victim and shows which of the thousands of “back doors” the hackers had at their disposal, the hackers wanted to open, Kaspersky researcher Igor Kuznetsov said.
“Most of the time these back doors just sleep,” he said. “But this is when the real hack starts.”
The CNAME records pertaining to Cox Communications and Pima County are included in a list of technical information published here by US cybersecurity firm FireEye Inc, which was the first victim to discover and reveal that it had been hacked.
John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decrypt the CNAME records published by FireEye and found them connected to Cox Communications and Pima County.
The data shows that the backdoors at Cox Communications and Pima County were triggered in June and July this year, the peak of hacking activity identified by researchers so far.
It is not clear what information, if any, has been compromised.
SolarWinds, which revealed its unwitting role at the center of the global hack on Monday, has said up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
As the fallout continued in Washington on Thursday, with a confirmed breach in the US energy department, US officials warned the hackers had used other attack methods and urged organizations not to assume they were protected without recent versions. of the SolarWinds software.
Microsoft, one of the thousands of companies that received the malicious update, said it has currently notified more than 40 customers whose networks have been further infiltrated by the hackers.
About 30 of those customers were in the United States, it said, and the remaining victims were found in Canada, Mexico, Belgium, Spain, Great Britain, Israel and the United Arab Emirates. Most of the information technology companies worked, as well as some think tanks and government organizations.
“It is certain that the number and location of victims will continue to grow,” said Microsoft president Brad Smith in a blog post here.
“The installation of this malware allowed the attackers to track and choose from among these customers the organizations that they wanted to attack further, which apparently did in a narrower and more targeted manner.”
Reporting by Jack Stubbs; Editing by Chris Sanders and Edward Tobin