Suspected hack in Russia goes far beyond SolarWinds software, researchers say

Hackers linked to the attack invaded these systems by exploiting known bugs in software products, guessing passwords online and taking advantage of a variety of problems in the way Microsoft Body

MSFT 2.59%

The cloud-based software is configured, the researchers said.

Approximately 30% of the private sector and government victims linked to the campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Infrastructure Security and Cybersecurity Agency, said in an interview.

Attackers “gained access to their targets in a variety of ways. This adversary was creative, ”said Wales, whose agency, part of the United States Department of Homeland Security, is coordinating the government’s response. “It is absolutely correct that this campaign should not be considered as the SolarWinds campaign.”

Corporate investigators are coming to the same conclusion. Last week, computer security company Malwarebytes Inc. said that several of its Microsoft cloud email accounts were compromised by the same attackers who targeted SolarWinds, using what Malwarebytes called “another intrusion vector” . The hackers hacked a Microsoft Office 365 account from Malwarebytes and took advantage of a loophole in the software configuration to gain access to a larger number of email accounts, Malwarebytes said. The company said it does not use SolarWinds software.

The incident demonstrated how sophisticated attackers can jump from one cloud computing account to another, taking advantage of little-known idiosyncrasies in the ways the software authenticates with Microsoft’s service, the researchers said. In many of the hacks, SolarWinds hackers took advantage of known configuration issues from Microsoft to trick systems into giving them access to emails and documents stored in the cloud.

SolarWinds itself is investigating whether the Microsoft cloud was the initial entry point for hackers on its network, according to a person familiar with the SolarWinds investigation, who said that this is one of several theories in progress.

“We continue to collaborate closely with federal law enforcement and intelligence agencies to investigate the full scope of this unprecedented attack,” said a spokesman for SolarWinds by email.

“This is certainly one of the most sophisticated actors we’ve tracked in terms of the approach, discipline and variety of techniques they have,” said John Lambert, manager of the Microsoft Threat Intelligence Center.

In December, Microsoft said that hackers who targeted SolarWinds accessed their own corporate network and saw the software’s internal source code – a security lapse, but not a catastrophic breach, according to security experts. At the time, Microsoft said it “found no evidence that our systems were used to attack other people.”

The hack will take months or more to fully crack and is raising questions about the trust that many companies place in their technology partners. The US government publicly blamed Russia, which has denied any responsibility.

The data breach has also undermined some of the pillars of modern enterprise computing, where companies and government offices entrust multiple software vendors to run programs remotely in the cloud or to access their own networks to provide updates that improve performance and security.

Now companies and government agencies are grappling with the question of how much they can really trust the people who create the software they use.

“Malwarebytes has 100 software vendors,” said Marcin Kleczynski, chief executive of the security company. “How do I know if Zoom or Slack are not next and what should I do? Do we start building software internally? “

The attack came in December, when security experts discovered that hackers inserted a backdoor into SolarWinds software updates, called Orion, which was widely used in the federal government and by several Fortune 500 companies. The scope and sophistication of the attack surprised investigators almost as soon as they started the investigation.

SolarWinds said it tracked hackers’ activities until at least September 2019 and that the attack gave attackers a digital back door for about 18,000 SolarWinds customers.

Wales, of the Cybersecurity and Infrastructure Security Agency, said some victims were compromised before SolarWinds deployed the corrupted Orion software about a year ago.

The departments of the Treasury, Justice, Trade, State, Homeland Security, Labor and Energy have been violated. In some cases, hackers accessed emails from people in senior positions, officials said. So far, dozens of private sector institutions have also been identified as committed to the attack, Wales said, adding that the total is well under 100.

Researchers tracked SolarWinds’ activity by identifying the tools, online resources and techniques used by hackers. Some US intelligence analysts have concluded that the group is linked to Russia’s foreign intelligence service, the SVR.

Wales said his agency is not aware of any other cloud software other than Microsoft’s target in the attack. And the researchers have not identified another technology company whose products have been widely compromised to infect other organizations like SolarWinds, he said.

The effort to target Microsoft’s cloud software shows the breadth of hackers’ efforts to steal sensitive data. Microsoft is the largest provider of enterprise software in the world and its systems are widely used by companies and government agencies.

“There are many, many different ways to enter the cloud,” said Dmitri Alperovitch, executive president of the Silverado Policy Accelerator, a cybersecurity study group. Since many companies have moved to the Microsoft 365 cloud in recent years, it “is now a top target,” he said.

Another security company that does not use SolarWinds software, CrowdStrike Inc.,

CRWD 5.75%

said the same attackers unsuccessfully tried to read his email, taking control of an account used by a Microsoft reseller he worked with. The hackers then tried to use this account to access CrowdStrike’s email.

In December, Microsoft notified CrowdStrike and Malwarebytes that SolarWinds hackers were targeting them. Microsoft then said it identified more than 40 customers affected by the attack. That number has increased since then, said a person familiar with Microsoft’s thinking.

When the SolarWinds hack was first discovered, current and former national security officials quickly concluded that it was one of the worst breaches ever recorded – a coup that was not detected for several months or more that allowed suspicious Russian spies to access and internal emails and other files at various government agencies.

As investigators learned more about the scope of the hack and its reach beyond SolarWinds, authorities and lawmakers began to talk about it in even more dire terms. Last week, President Joe Biden instructed his director of national intelligence, Avril Haines, to conduct a review of Russian aggression against the United States, including the SolarWinds hack.

“This is the biggest cyber intrusion, perhaps, in the history of the world,” said Sen. Jack Reed, a Democrat, earlier this month, during a confirmation hearing for Haines.

Wales said the hacking operation was “substantially more significant” than a previous wave of hackers against cloud providers, known as Cloud Hopper and linked to the Chinese government, widely considered to be one of the greatest corporate espionage efforts of all time. The hackers in this campaign were able to compromise the central infrastructure of victims of government and the private sector in a way that overcomes the attack, said Wales.

Investigators still believe that the main purpose of the hacking campaign, which the government said is underway, is to collect information by spying on federal agencies and high-value corporate networks – or to compromise other technology companies whose access could lead to further attacks.

“We continue to maintain that this is a espionage campaign designed to collect long-term intelligence,” said Wales. “That said, when you compromise an agency’s authentication infrastructure, there is a lot of damage you can do.”

—For more WSJ Technology reviews, analysis, advice and headlines, sign up for our weekly newsletter.

Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]