At least 200 victims identified in suspicion of Russian hacking

Sanjay PatilDecember 20, 20 cyber security, SolarWinds

At least 200 organizations, including government agencies and businesses around the world, have been hacked in a suspected Russian cyber attack that implanted malicious code into widely used software, a cybersecurity company said and three people familiar with the ongoing investigations.

The number of actual hackers was one of the many unanswered questions regarding the cyberattack, which used a backdoor into SolarWinds Corp s Orion network management software. as a preparation ground for further attacks.

Recorded Future Inc., a Massachusetts-based cybersecurity company, has identified 198 victims who were hacked using the SolarWinds backdoor, said threat analyst Allan Liska. Three other people said the investigation has so far determined that hackers have further compromised at least 200 victims, roaming computer networks or attempting to obtain user credentials – which experts say in cybersecurity call a “hands-on keyboard” activity. The final number could increase from there.

Neither Recorded Future, nor those familiar with the investigation, provided the identity of the victims. This number is expected to increase as the full-scale investigation continues. The motivations of the hackers remain unknown, and it is not known what they examined or stole from the computer networks they infiltrated.

Hamstring Poll For Months Hackers Over US Breach

Of the approximately 18,000 SolarWinds customers who received the infected update, more than 1,000 encountered the malicious code pinging a so-called second-stage “command and control” server operated by hackers, giving them the ability to hack further into the network, according to publicly available data and the three people. Command and control servers are used by hackers to manage malicious code once it is inside a target network. Of those more than 1,000, investigators have so far determined that at least 200 have been hacked.

The next step would be for the hackers themselves to infiltrate the computer network.

A spokesperson for SolarWinds said the company “remains focused on working with customers and experts to share information and work to better understand this issue.”

“There are still the first days of the investigation,” said the spokesperson.

Hackers affiliated with the Russian government have been suspected from the start, and Secretary of State Michael Pompeo confirmed in an interview on Friday.

FireEye discovered a SolarWinds violation while probing its own hack

“There has been a significant effort to use third-party software to essentially embed code into US government systems, and now it appears that private business and corporate and government systems around the world are also present.” Pompeo said in a radio interview. . “It was a very important effort, and I think it is true that now we can say quite clearly that it was the Russians who engaged in this activity.”

President Donald Trump on Saturday played down the Twitter hack and suggested that China, not Russia, could be responsible, while acting Senate Intelligence Committee chairman Marco Rubio said he was increasingly clear that Russian intelligence had carried out the most serious cyber-intrusion. in our history.

A major U.S. cybersecurity agency issued an alert Thursday, saying hackers pose a “serious risk” to federal, state and local governments, as well as critical infrastructure and the private sector. The US Agency for Cybersecurity and Infrastructure Security, or CISA, said the attackers were patient, well resourced and “displayed sophistication and complex know-how.”

CISA also said it found evidence of other potential backdoors besides the SolarWinds Orion platform, suggesting that there could be entirely different batches of potential victims that have yet to be identified.

Microsoft Corp. said on Thursday that 40 of its customers had been hacked, that the attacks were ongoing and the number of victims was expected to rise. Among those affected were unidentified cybersecurity companies, government agencies and government contractors, with about 80% in the United States.

Cyber security firm FireEye Inc. was the first victim to reveal it had been hacked on December 8, and said that while investigating its own breach, company researchers discovered SolarWinds’ backdoor. Microsoft itself said it found the malicious SolarWinds update on its network, but found no evidence of access to “production services or customer data.”

By William Turton