SolarWinds Hackers Stole Data on US Sanctions Policy and Intelligence Investigations

SAN FRANCISCO, October 7 (Reuters) – Suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies have come out with information on counterintelligence investigations, the policy of sanctioning individuals Russian Federation and the country’s response to COVID-19, people involved in the investigation told Reuters.

The hacks were widely publicized after their discovery late last year, and U.S. officials blamed the Russian foreign intelligence service SVR, which denies the activity. But little has been disclosed about the spies’ goals and successes.

The reluctance of some publicly traded companies to explain their exposure has prompted a broad investigation by the Securities and Exchange Commission.

The campaign alarmed officials with its stealth and careful staging. Hackers have infiltrated the code production process at SolarWinds (SWI.N), which makes software widely used for network management.

The group also took advantage of weaknesses in Microsoft’s methods (MSFT.O) to identify users in Office 365, violating some targets who used Microsoft software but not SolarWinds.

It has previously been reported that the hackers entered unclassified Justice Ministry networks and read emails in the Treasury, Commerce and Homeland Security departments. Nine federal agencies were violated. Hackers also stole digital certificates used to convince computers that software is allowed to run on them and source code from Microsoft (MSFT.O) and other tech companies.

One of those involved said the disclosure of the counterintelligence cases against Russia was the worst loss.

Spokesmen for the Justice Department and the White House did not respond to requests for comment on Wednesday.

In an annual threat review document released Thursday, Microsoft said Russian spies are ultimately looking for government documents on sanctions and other Russia-related policies, as well as American methods of catching Russian hackers.

Cristin Goodwin, chief executive of Microsoft’s digital security unit, said the company had drawn its conclusions from the types of customers and accounts targeted. In such cases, she told Reuters, “You can infer the operational targets.”

Others who worked on the government investigation went further, saying they could see terms the Russians used in their searches of US digital files, including “sanctions.”

Chris Krebs, former head of the US cyber defense agency CISA and now an advisor to SolarWinds and other companies, said the combined descriptions of the attackers’ objectives made sense.

“If I’m a threatening actor in an environment, I have a clear set of goals. First, I want to gain valuable insight into government decision making. The sanctions policy makes a lot of sense, ”Krebs said.

The second thing is to learn how the target reacts to attacks, or “counter-incident response,” he said: “I want to know what they know about me so that I can improve my craft and avoid to be detected. “

Reporting by Joseph Menn and Christopher Bing; edited by Peter Henderson

Our Standards: Thomson Reuters Trust Principles.