Alleged Russian hack goes way beyond SolarWinds software, investigators say

Hackers linked to the attack entered these systems by exploiting known bugs in software products, guessing passwords online, and capitalizing on a variety of issues in the way Microsoft Body

MSFT 2.59%

Cloud-based software is being set up, investigators said.

About 30% of private sector and government victims linked to the campaign had no direct connection to SolarWinds, said Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, in an interview.

The attackers “gained access to their targets in various ways. This adversary has been creative, ”said Wales, whose agency, part of the US Department of Homeland Security, is coordinating the government’s response. “It is absolutely correct that this campaign should not be viewed as the SolarWinds campaign.”

Corporate investigators come to the same conclusion. Last week, computer security firm Malwarebytes Inc. said a number of its Microsoft cloud email accounts had been compromised by the same attackers who had targeted SolarWinds, using what Malwarebytes called “another intrusion vector ”. Hackers broke into a Microsoft Office 365 Malwarebytes account and took advantage of a loophole in the software configuration to gain access to more email accounts, Malwarebytes said. The company said it does not use SolarWinds software.

The incident demonstrated how sophisticated attackers could move from one cloud computing account to another by taking advantage of little-known idiosyncrasies in the way the software authenticates itself to the Microsoft service, investigators said. In numerous heists, SolarWinds hackers have taken advantage of known Microsoft configuration issues to trick systems into giving them access to email and documents stored in the cloud.

SolarWinds itself is investigating whether Microsoft’s cloud was the initial point of entry for hackers into its network, according to someone familiar with the SolarWinds investigation, who said it was one of many. theories pursued.

“We continue to work closely with federal law enforcement and intelligence agencies to investigate the full extent of this unprecedented attack,” a SolarWinds spokesperson said in an email.

“He’s certainly one of the most sophisticated players we’ve ever followed in terms of the approach, discipline and range of techniques they have,” said John Lambert, director of Microsoft’s Threat Intelligence Center.

In December, Microsoft said hackers who had targeted SolarWinds accessed its own corporate network and viewed the source code of internal software – a lack of security but not a catastrophic flaw, security experts said. At the time, Microsoft said it had “found no indication that our systems were being used to attack other people.”

The hack will take months or more to unravel completely and raise questions about the trust many companies place in their technology partners. The US government publicly blamed Russia, which denied responsibility.

The data breach has also undermined some of the pillars of modern enterprise computing, in which businesses and governments entrust a myriad of software vendors to run programs remotely in the cloud or access the cloud. their own networks to provide updates that improve performance and security.

Today’s businesses and government agencies are grappling with the question of how well they can really trust the people who create the software they use.

“Malwarebytes relies on 100 software vendors,” said Marcin Kleczynski, CEO of the security company. “How do I know Zoom or Slack is not next and what should I do? Are we starting to create software in-house? “

The attack surfaced in December, when security experts discovered that hackers had inserted a backdoor into updates to SolarWinds software, called Orion, which was used widely across the federal government and by a wide range of people. range of Fortune 500 companies. The scope and sophistication of the attack surprised investigators almost as they began their investigation.

SolarWinds said it traced hacker activity at least through September 2019 and that the attack gave intruders a digital backdoor to up to 18,000 SolarWinds customers.

Mr Wales of the Cybersecurity and Infrastructure Security Agency said some victims were compromised before SolarWinds deployed corrupted Orion software about a year ago.

The departments of Treasury, Justice, Commerce, State, Homeland Security, Labor and Energy have all suffered violations. In some cases, hackers have accessed emails from higher-ranking people, officials said. So far, dozens of private sector institutions have also been identified as compromised in the attack, Wales said, adding that the total was well below 100.

Investigators followed SolarWinds activity by identifying tools, online resources and techniques used by hackers. Some US intelligence analysts concluded that the group was linked to the Russian foreign intelligence service, the SVR.

Mr Wales said his agency was unaware of cloud software other than Microsoft targeted in the attack. And investigators failed to identify another tech company whose products were largely compromised to infect other organizations like SolarWinds, he said.

The effort to target Microsoft’s cloud software shows the scale of hackers’ efforts to steal sensitive data. Microsoft is the world’s largest provider of business software, and its systems are widely used by businesses and government agencies.

“There are many ways to access the cloud,” said Dmitri Alperovitch, executive chairman of the Silverado Policy Accelerator, a cybersecurity think tank. As many companies have moved to the Microsoft 365 cloud in recent years, it “is now a prime target,” he said.

Another security company that doesn’t use SolarWinds software, CrowdStrike Inc.,

CRWD 5.75%

said the same attackers tried unsuccessfully to read his email by taking over an account used by a Microsoft reseller he worked with. The hackers then attempted to use this account to access CrowdStrike’s email.

In December, Microsoft informed CrowdStrike and Malwarebytes that SolarWinds hackers had targeted them. Microsoft then said it had identified more than 40 customers affected by the attack. That number has since increased, said someone familiar with Microsoft thinking.

When the SolarWinds hack was first discovered, current and former national security officials quickly concluded that it was one of the worst breaches on record – an intelligence coup that did not ‘was undetected for several months or more which allowed suspected Russian spies to gain access to internal emails and other files from several government agencies.

As investigators learned more about the scope of the hack and its reach beyond SolarWinds, officials and lawmakers began to talk about it even more disastrously. Last week, President Joe Biden tasked his director of national intelligence, Avril Haines, to lead a review of the Russian aggression against the United States, including the SolarWinds hack.

“This may be the biggest cyber intrusion in world history,” Senator Jack Reed, a Democrat, said earlier this month during a confirmation hearing for Ms. Haines.

Mr Wales said the hacking operation was “significantly bigger” than a previous hacking frenzy against cloud providers, known as Cloud Hopper and linked to the Chinese government, widely regarded as one of the biggest corporate espionage efforts ever. The hackers in this campaign were able to compromise the basic infrastructure of government and private sector victims in a way that overshadows this attack, Wales said.

Investigators still believe that the primary goal of the hacking campaign, which the government says is ongoing, is to glean information by spying on federal agencies and high-value business networks – or to compromise. other technology companies whose access could lead to subsequent attacks.

“We continue to maintain that this is a spy campaign designed for long-term intelligence gathering,” Wales said. “Having said that, when you compromise an agency’s authentication infrastructure, you can do a lot of damage.”

—For more analysis, reviews, tips and headlines on WSJ technology, sign up for our weekly newsletter.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]