At least 200 victims identified in suspected Russian hacking

William Turton

Washington – At least 200 organizations, including government agencies and companies around the world, have been hacked as part of a suspected Russian cyberattack that implanted malicious code in a widely used software program, said a cybersecurity firm and three people familiar with ongoing investigations.

The number of actual hacking victims has been one of many unanswered questions surrounding the cyberattack, which used a backdoor in SolarWinds Corp.’s Orion network management software as a staging ground for further attacks.

This Wednesday, Feb. 11, 2015 file photo shows FireEye offices in Milpitas, Calif. Experts say it's going to take months to kick elite hackers widely believed to be Russian out of U.S. government networks.

As many as 18,000 SolarWinds’ customers received a malicious update that included the backdoor, but the number that was actually hacked – meaning the attackers used the backdoor to infiltrate computer networks – is likely to be far fewer.

Recorded Future Inc., a cybersecurity firm based in Massachusetts, has identified 198 victims that were hacked using the SolarWinds backdoor, said threat analyst Allan Liska. Three other people said the inquiry so far has determined that the hackers further compromised at least 200 victims, moving within the computer networks or attempting to gain user credentials – what cybersecurity experts call “hands on keyboard” activity. The final number could rise from there.

Neither Recorded Future, nor the people familiar with the inquiry, provided the identities of victims. The number is expected to grow as the wide-ranging investigation continues. The hackers’ motive remains unknown, and it’s not clear what they reviewed or stole from the computer networks they infiltrated.

Of the roughly 18,000 SolarWinds customers that received the infected update, more than 1,000 experienced the malicious code ping a so-called second stage “command and control” server operated by hackers, giving them the option to hack further into the network, according to publicly available data and the three people. Command and control servers are used by hackers to manage malicious code once it’s inside a target network. Of that more than 1,000, investigators have so far determined that at least 200 were further hacked.

The next step would be for the hackers themselves to infiltrate the computer network.

A SolarWinds spokesperson said the company “remains focused on collaborating with customers and experts to share information and work to better understand this issue.”

“It remains early days of the investigation,” the spokesperson said.

Hackers affiliated with the Russian government have been suspected from the start, and Secretary of State Michael Pompeo on Friday provided confirmation in an interview.

“There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well,” Pompeo said in a radio interview. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

On Saturday, President Donald Trump downplayed the hack on Twitter and suggested that China, not Russia, might be responsible, while the acting chairman of the Senate Intelligence Committee, Marco Rubio, said it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”

A top U.S. cybersecurity agency issued an alert on Thursday saying the hackers posed a “grave risk” to federal, state and local governments, as well as critical infrastructure and the private sector. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, said the attackers were patient, well resourced, and “demonstrated sophistication and complex tradecraft.”

CISA also said it had found evidence of other potential backdoors besides the SolarWinds Orion platform, suggesting there could be entirely different batches of potential victims that haven’t yet been identified.

Microsoft Corp. said on Thursday that 40 of its customers had been hacked, that the attacks were ongoing, and that the number of victims is expected to increase. Among those hit were unnamed cybersecurity companies, government agencies, and government contractors, roughly 80% of which are in the U.S.

Cybersecurity company FireEye Inc. was the first victim to disclose that it been hacked, on Dec. 8, and said that while investigating its own breach, researchers at the company discovered the SolarWinds backdoor. Microsoft itself said that it found the malicious SolarWinds update within its network, but that it found no evidence of access to “production services or customer data.