Suspected Russian hack far away from SolarWinds software, investigators say

Hackers associated with the attack have broken into these systems by exploiting known bugs in software products, guessing online passwords, and capitalizing on a variety of issues en route to Microsoft. Of corp

Msft 2.59%

Cloud-based software is configured, investigators said.

Nearly 30% of the private sector and government victims associated with the campaign had no direct connection to SolarWinds, Brandon Wells, executive director of the Cyber ​​Security and Infrastructure Security Agency, said in an interview.

The attackers reached their targets in various ways. It has been counterproductive, ”said Mr. Wells, whose agency, part of the US Department of Homeland Security, is coordinating the government’s response. “It is absolutely true that this campaign should not be thought of as a solar winds campaign.”

Corporate investigators are arriving at the same conclusion. Last week, computer security company Malwarebytes Inc. said that many of its Microsoft Cloud email accounts were compromised by the same attackers who targeted SolarWinds, which Malwarebytes called “another intrusion vector”. Malwarebytes said that hackers broke the Malwarebytes Microsoft Office 365 account and took advantage of flaws in the software’s configuration to access a large number of email accounts. The company stated that it does not use SolarWinds software.

Investigators said the incident demonstrated how sophisticated attackers could leap from one cloud-computing account to another, leveraging little-known identities in the Microsoft service in ways that authenticate themselves. In many of the break-ins, SolarWind hackers took advantage of Microsoft configuration issues known to trick the system and give them access to emails and documents stored on the cloud.

According to a person familiar with the investigation of SolarWinds, SolarWinds itself is investigating whether Microsoft’s cloud was in the network of hackers’ initial entry point, which it said is one of several theories.

“We continue to closely cooperate with federal law enforcement and intelligence agencies to investigate the full scope of this unprecedented attack,” a SolarWinds spokesman said in an email.

“It’s definitely one of the most sophisticated actors we’ve ever tracked according to his range of perspectives, his discipline and techniques,” said John Lambert, manager of Microsoft’s Threat Intelligence Center.

In December, Microsoft said that the hackers, who targeted SolarWinds, used their own corporate networks and looked at internal software source code – a lack of security according to security experts but not a sinister breach. At the time, Microsoft stated that it had “received no indication that our system was used to attack others.”

The hack will take months or more to fully unravel and is raising questions about the trust that many companies put into their technology partners. The US government has publicly blamed Russia, which has denied responsibility.

Data breach has also reduced some of the pillars of modern corporate computing, with companies and government offices running their own networks to remotely run programs in the cloud or provide updates and security enhancements to myriad software vendors. Assign for

Now corporations and government agencies are struggling with the question of how much they can trust the people who manufacture the software they use.

“Malwarebytes relies on 100 software suppliers,” said Marcin Kleczynski, the company’s chief executive officer. “How do I know that Zoom or Slack is not next and what do I do?” Do we start making software at home? “

The attack surfaced in December, when security experts discovered that hackers inserted a backdoor into an update to SolarWinds software, called Orion, that was widely used in the federal government and by a swath of Fortune 500 companies. The scope and sophistication of the attack surprised investigators when they began their investigation.

SolarWinds has said that it detected activity from hackers until at least September 2019, and the attack gave intruders a digital back door in the form of 18,000 SolarWinds customers.

Mr. Wells of the Cyberspace and Infrastructure Security Agency said that some victims had been compromised for nearly a year before deploying corrupted Orion software to SolarWinds.

The departments of Treasury, Justice, Commerce, State, Homeland Security, Labor and Energy all faced violations. In some cases hackers have accessed the emails of those in the senior ranks, officials have said. Mr Wells said so far dozens of private sector institutions have also been identified as compromising in the attack.

Investigators track SolarWinds activity by identifying tools, online resources, and techniques used by hackers. Some US intelligence analysts have concluded that the group is tied to Russia’s foreign intelligence service, SVR.

Mr. Wells said his agency did not know about cloud software other than Microsoft’s target in the attack. He said investigators have not identified any other technology company whose products were compromised to infect other organizations by way of solar winds.

Microsoft’s attempt to target cloud software indicates the breadth of hackers’ attempts to steal sensitive data. Microsoft is the world’s largest commercial software provider, and its systems are widely used by corporations and government agencies.

“There are many and many different ways,” said Dmitry Alperovich, executive chairman of the Silverado Policy Accelerator. Because many companies have moved to Microsoft 365 cloud in recent years, it is “one of the top targets now,” he said.

Another security company that does not use SolarWinds software, CrowdStrike Inc.

CRWD 5.75%

Said that the same attacker unsuccessfully tried to take control of the account used by the Microsoft reseller who worked with it. The hackers attempted to use that account to access Crowdstrike’s email.

In December, Microsoft informed both CrowdStrike and Malwarebytes that they were targeted by SolarWind hackers. Microsoft then stated that it had identified more than 40 customers killed in the attack. The number has increased since then, with one person said to be familiar with Microsoft’s thinking.

When the SolarWinds hack was first exposed, current and former national security officials quickly concluded that it was one of the worst breaches on record – an intelligence coup that had not lasted for many months or Longtime suspected Russian spies were allowed access to internal emails and other files from several government agencies.

As investigators have learned more about the hack’s scope and its reach is beyond SolarWinds, officials and lawmakers have begun to speak of it in even more strict terms. Last week, President Joe Biden instructed his National Intelligence Director, Erikil Haines, to review the Russian invasion against the US, including the SolarWinds hack.

“This is the largest cyber intrusion in the history of the world,” Sen. Jack Reid of the Democrat said during a confirmation hearing for Ms. Haines earlier this month.

Mr Wells said the hacking operation was “significantly more important” than the previous hacking spree against cloud providers, known as the Cloud Hopper and linked to the Chinese government, which is widely known as one of the largest corporate espionage efforts Is considered one of the. In this campaign, hackers are able to compromise the infrastructure of government and private sector victims in a way that dwarfs that attack, Mr Wells said.

Investigators still believe the hacking campaign’s primary purpose, which the government says is ongoing, is to spark information by spying on federal agencies and high-value corporate networks – or could compromise other technology companies Which can lead to attacks.

“We continue to ensure that this is a spy operation designed for long-term intelligence collection,” Mr. Wells said. “That said, when you compromise the certification infrastructure of an agency, you may suffer a lot of damage.”

For more WSJ technology analysis, reviews, advice and headlines, sign up for our weekly newsletter.

write to Robert McMillan on [email protected] and Dustin Volz on [email protected]