At least 200 organizations, including government agencies and companies around the world, have been hacked as part of a suspected Russian cyber-attack that implanted malicious code in a widely used software program, said a cybersecurity firm and three people familiar with ongoing investigations.
The number of actual hacking victims has been one of many unanswered questions surrounding the cyber-attack, which used a backdoor in SolarWinds Corp.’s Orion network management software as a staging ground for further attacks.
As many as 18,000 SolarWinds’ customers received a malicious update that included the backdoor, but the number that was actually hacked — meaning the attackers used the backdoor to infiltrate computer networks — is likely to be far fewer.
Recorded Future Inc., a cybersecurity firm based in Massachusetts, has identified 198 victims that were hacked using the SolarWinds backdoor, said threat analyst Allan Liska. Three other people said the inquiry so far has determined that the hackers further compromised at least 200 victims, moving within the computer networks or attempting to gain user credentials — what cybersecurity experts call “hands on keyboard” activity. The final number could rise from there.
Neither Recorded Future, nor the people familiar with the inquiry, provided the identities of victims. The number is expected to grow as the wide-ranging investigation continues. The hackers’ motive remains unknown, and it’s not clear what they reviewed or stole from the computer networks they infiltrated.
Of the roughly 18,000 SolarWinds customers that received the infected update, more than 1,000 experienced the malicious code ping a so-called second stage “command and control” server operated by hackers, giving them the option to hack further into the network, according to publicly available data and the three people. Command and control servers are used by hackers to manage malicious code once it’s inside a target network. Of that more than 1,000, investigators have so far determined that at least 200 were further hacked.
The next step would be for the hackers themselves to infiltrate the computer network.
A SolarWinds spokesperson said the company “remains focused on collaborating with customers and experts to share information and work to better understand this issue.”
“It remains early days of the investigation,” the spokesperson said.
Hackers affiliated with the Russian government have been suspected from the start, and Secretary of State Michael Pompeo on Friday provided confirmation in an interview.
FireEye Discovered SolarWinds Breach While Probing Own Hack
“There was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. government systems, and it now appears systems of private companies and companies and governments across the world as well,” Pompeo said in a radio interview. “This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”
On Saturday, President Donald Trump downplayed the hack on Twitter and suggested that China, not Russia, might be responsible, while the acting chairman of the Senate Intelligence Committee, Marco Rubio, said it was “increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history.”