Suspected Russian hack extends far beyond SolarWinds software, investigators say

Hackers linked to the attack have hacked into these systems by exploiting known bugs in software products, guessing online passwords, and exploiting a variety of issues in the way Microsoft is used. Corp’s

MSFT 2.59%

cloud-based software has been introduced, investigators said.

About 30% of both the private sector and the government’s victims linked to the campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in an interview.

The attackers “gained access to their targets in various ways. This opponent was creative, “said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, coordinates the government’s response, said. “It is absolutely correct that this campaign should not be considered the SolarWinds campaign.”

Corporate investigators come to the same conclusion. Last week, the computer security company Malwarebytes Inc. said a number of its Microsoft email accounts in the cloud are being compromised by the same attackers targeting SolarWinds. The hackers hacked into a Microsoft Office 365 account of Malwarebytes and exploited a loophole in the configuration of the software to gain access to a larger number of email accounts, Malwarebytes said. The company said it does not use SolarWinds software.

The incident showed how advanced attackers could jump from one cloud account to another using unknown peculiarities in the way software verifies itself on the Microsoft service, investigators said. In many of the hacks, the SolarWinds hackers used known Microsoft configuration issues to trick systems into giving them access to email and documents stored in the cloud.

According to a person familiar with the SolarWinds investigation, SolarWinds itself is investigating whether Microsoft’s cloud was the hackers’ initial point of access to its network.

“We continue to work closely with federal law enforcement and intelligence agencies to investigate the full extent of this unprecedented attack,” a SolarWinds spokesman said in an email.

“This is certainly one of the most sophisticated actors we have ever followed in terms of their approach, their discipline and the variety of techniques they have,” said John Lambert, manager of Microsoft’s Threat Intelligence Center.

In December, Microsoft said the SolarWinds-targeted hackers had access to its own corporate network and looked at the internal software’s source code – a breach of security, but not a catastrophic breach, according to security experts. At the time, Microsoft said that “no evidence was found that our systems were being used to attack others.”

The hack will take months or longer to fully unravel and this raises questions about the trust that many companies place in their technology partners. The US government has publicly blamed Russia, which has denied responsibility.

The data breach also undermined some of the pillars of modern corporate computing, in which companies and government offices entrust numerous software vendors to manage remote applications in the cloud or to access their own networks to provide performance and security updates improve.

Now companies and government agencies are grappling with the question of how much they can really trust the people who build the software.

“Malware bytes rely on 100 software vendors,” said Marcin Kleczynski, CEO of the security company. “How do I know that Zoom or Slack is not the next and what do I do? Are we starting to build our own software? ”

The attack appeared in December, when security experts discovered that hackers were adding a backdoor in the updates to SolarWinds software, called Orion, which was widely used in the federal government and by a number of Fortune 500 companies. The scale and refinement of the attack surprised investigators almost the moment they investigated.

SolarWinds said the hackers’ activity was tracked until at least September 2019, and that the attack gave the intruders a digital back door to as many as 18,000 SolarWinds customers.

Mr. Wales of the Cybersecurity and Infrastructure Security Agency said some victims were compromised before SolarWinds deployed the damaged Orion software about a year ago.

The departments of Treasury, Justice, Commerce, State, Homeland Security, Labor and Energy have all suffered violations. In some cases, hackers have access to the emails of those in senior ranks, officials said. So far, dozens of institutions in the private sector have also been identified as compromised in the attack, said Mr. Wales said, adding that the total is well below 100.

Investigators followed the SolarWinds activity by identifying the tools, online resources and techniques used by hackers. Some US intelligence analysts have concluded that the group is linked to Russia’s foreign intelligence service, the SVR.

Mr. Wales said its agency was not aware of any cloud software other than what Microsoft intended in the attack. And investigators did not identify another technology company whose products were generally at risk of infecting other organizations such as SolarWinds, he said.

The attempt to target Microsoft’s cloud software shows the extent of hackers’ attempts to steal sensitive data. Microsoft is the world’s largest provider of business software and its systems are widely used by corporations and government agencies.

“There are many different ways in the cloud,” said Dmitry Alperovitch, executive chairman of the Silverado Policy Accelerator, a cybersecurity think tank. Because so many companies have moved to the Microsoft 365 cloud in recent years, it is ‘now one of the top targets’, he said.

Another security company that does not use SolarWinds software, CrowdStrike Inc.,

CRWD 5.75%

said the same attackers tried unsuccessfully to read his email by taking control of an account used by a Microsoft reseller he was working with. The hackers then tried to use the account to access CrowdStrike’s email.

In December, Microsoft notified both CrowdStrike and Malwarebytes that the SolarWinds hackers had targeted them. Microsoft then said it had identified more than 40 customers affected by the attack. A person familiar with Microsoft’s thinking has increased since then.

When the SolarWinds hood was first unveiled, current and former national security officials quickly concluded that it was one of the worst offenses recorded – an intelligence coup that went unnoticed for several months or more. suspected Russian spies access internal e-mail and other files in various government agencies.

As investigators learned more about the extent of the hack and its scope outside SolarWinds, officials and lawmakers began talking about it in even more dire terms. Last week, President Joe Biden instructed his director of national intelligence, Avril Haines, to review Russian aggression against the US, including the SolarWinds cap.

“This is perhaps the biggest cyber intrusion in the history of the world,” Senator Jack Reed, a Democrat, said earlier this month during a confirmation hearing for Ms. Haines said.

Mr. Wales said the hacking action was “significantly more important” than a previous hacking against cloud providers, known as Cloud Hopper and linked to the Chinese government, which is widely regarded as one of the biggest corporate espionage attempts. The hackers in this campaign were able to endanger the core infrastructure of victims of government and private sector in a way that dwarfs the attacks, said Mr. Wales said.

Investigators continue to believe that the primary purpose of the hacking campaign, which the government says is underway, is to gather information by spying on federal agencies and valuable corporate networks – or endangering other technology companies whose access to follow-up attacks can lead.

“We continue to maintain that this is an espionage campaign designed for long-term intelligence gathering,” he said. Wales said. “That said, damaging an agency’s verification infrastructure can do a lot of damage. ‘

For more WSJ technology analyzes, reviews, advice and headlines, sign up for your weekly newsletter.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]