Microsoft has already identified at least 40 government agencies and companies targeted in the massive suspected Russian hack that breached US nuclear agencies in what is being described as the biggest breach in American history.
The software titan said that 80 percent of the victims it has uncovered so far are in the United States and warns that number will rise ‘substantially’ as the scope of the sprawling attack continues to unfold.
A heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US with agencies, companies and think tanks in New York, Washington DC and Texas among the hardest hit.
Microsoft, who confirmed that the UK, Israel, Canada and the United Arab Emirates were also in the cross hairs, has not revealed the names of those infiltrated by the hackers.
The two US agencies responsible for maintaining America’s nuclear weapons stockpile have already said there is evidence they were compromised in the attack.
The attach also breached the Pentagon, FBI, Treasury and State Departments.
Federal authorities are increasingly alarmed about the long-undetected intrusion into computer systems with the nation’s cybersecurity agency warning it poses a ‘grave threat’ to government and private networks.
One US official has already described the attack as the ‘worst hacking case in the history of America’.
Microsoft has already identified at least 40 government agencies and companies targeted in the massive suspected Russian hack that breached US nuclear agencies. This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US
Microsoft was breached in the massive suspected Russian campaign that has hit multiple U.S. government agencies
Microsoft President Brad Smith (pictured in November 2018) said: ‘This is not ”espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world’
The targets were not limited to government agencies – predominantly defence organisations – but included IT firms, NGOs and think-tanks.
Microsoft President Brad Smith said: ‘This is not ”espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.’
The Redmond, Washington-based company is a user of Orion, the widely deployed networking management software from SolarWinds Corp, which Russian hackers infected with malware.
One of the people familiar with the hacking spree said the hackers made use of Microsoft cloud offerings while avoiding Microsoft’s corporate infrastructure.
Microsoft did not immediately respond to questions about the technique.
Washington says the attack went undetected for nearly nine months, allowing the hackers free rein across networks, including the Pentagon, FBI, Treasury, State Department and nuclear security agencies, and that the true scale of the stolen information may never be known.
Smith said that this ‘latest serious nation-state cyberattack’ was significantly more sophisticated than other he had seen.
‘The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.’ Smith wrote.
‘The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft.
‘As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.’
Microsoft identified that 44 percent of the victims were in the information technology sector and 18 percent were government agencies – predominantly defense and national security organisations.
Denial: Russia’s president Vladimir Putin’s government has said it is not behind the massive hack – but experts said its precision, cunning and expertise points directly to the Kremlin
The Pentagon (left) and the FBI (right) were targets. Both have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.
Another 18 percent were think-tanks and NGOs, while 9 percent were government contractors.
The remaining 11 percent was listed simply as ‘other.’
‘Microsoft has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures,’ Smith wrote.
‘This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East. It’s certain that the number and location of victims will keep growing.’
Microsoft’s cyber-security experts used data from its Defender Anti-Virus software to discover a broad ‘supply chain of vulnerability’ provided by people downloading the Orion software containing the attackers’ malware.
‘The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did,’ Smith wrote.
The Orion software is described as a ‘single pane of glass’ which is widely used in the private sector and by government agencies to monitor their systems.
So far, the hackers are known to have at least monitored email or other data within the U.S. departments of Defense, State, Treasury, Homeland Security and Commerce.
As many as 18,000 Orion customers downloaded the updates that contained a back door, SolarWinds has said.
Since the campaign was discovered, software companies have cut off communication from those back doors to the computers maintained by the hackers.
President-elect Joe Biden also vowed a tough response, saying in a statement: ‘Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults’
But the attackers might have installed additional ways of maintaining access, CISA said, in what some have called the biggest hack in a decade.
British government departments using the Orion software include the Home Office, Ministry of Defence, GCHQ and the National Health Service.
The head of Britain’s GCHQ said on Monday that they had not yet found evidence of any breach.
He told the Daily Mail: ‘In terms of the UK’s vulnerabilities, of course we are working at pace with US partners in government and in private sectors who understand what this means.
‘I have not seen any news as yet on the extent to which any customers of FireEye (the cybersecurity firm which uses the SolarWinds software) or the particularly instances which affected US government have had an impact here in the UK.
‘But obviously we will continue to work very closely with them and if we do (discover any UK impact), we will work very quickly to make sure that the most up to date advice is out there.’
Both Microsoft and the Department of Homeland Security (DHS), which said the hackers used multiple methods of entry, are continuing to investigate.
The FBI and other agencies have scheduled a classified briefing for members of Congress Friday.
The U.S. Energy Department also said it has evidence hackers gained access to its networks as part of the campaign.
Politico earlier reported the National Nuclear Security Administration (NNSA), which manages the country’s nuclear weapons stockpile, was targeted.
An Energy Department spokeswoman said malware ‘has been isolated to business networks only’ and has not impacted U.S. national security, including the NNSA.
The DHS said in a bulletin on Thursday the hackers had used other techniques besides corrupting updates of network management software by SolarWinds.
CISA urged investigators not to assume their organizations were safe if they did not use recent versions of the SolarWinds software, while also pointing out that the hackers did not exploit every network they gained access too.
CISA said it was continuing to analyze the other avenues used by the attackers.
The Department of Justice, FBI and Defense Department, among others, have moved routine communication onto classified networks that are believed not to have been breached, according to two people briefed on the measures.
They are assuming that the non-classified networks have been accessed, the people said.
CISA and private companies including FireEye Inc, which was the first to discover and reveal it had been hacked, have released a series of clues for organizations to look for to see if they have been hit.
But the attackers are very careful and have deleted logs, or electronic footprints or which files they have accessed, security experts said. That makes it hard to know what has been taken.
Some major companies have said they have ‘no evidence’ that they were penetrated, but in some cases that may only be because the evidence was removed.
Hacked: The Los Alamos National Laboratory in New Mexico conducts the government’s most sensitive and advanced nuclear research
Deterrent: Land-based Minuteman missiles are one of the three prongs of the nuclear triad. Experts now fear the agencies that maintain US nuclear stockpiles have been breached
In most networks, the attackers would also have been able to create false data, but so far it appears they were interested only in obtaining real data, people tracking the probes said.
Meanwhile, members of Congress are demanding more information about what may have been taken and how, along with who was behind it.
The House Homeland Security Committee and Oversight Committee announced an investigation Thursday, while senators pressed to learn whether individual tax information was obtained.
In a statement, President-elect Joe Biden said he would ‘elevate cybersecurity as an imperative across the government’ and ‘disrupt and deter our adversaries’ from undertaking such major hacks.
The White House has not yet commented on the breach which creates a fresh foreign policy problem for President Donald Trump in his final days in office.
‘There will be a price to pay for this,’ vowed Senate Minority Whip Dick Durbin, an Illinois Democrat, in a floor speech on Thursday. ‘This is nothing short of a virtual invasion by the Russians into critical accounts of the federal government.’
‘When adversaries such as Russia torment us, tempt us, breach the security of our nation, we need to respond in kind,’ said Durbin, though noting he was not calling for ‘all-out war’.
Russia has denied it carried out the attack and called the allegations another smear campaign by US media.
Dmitry Peskov, a Kremlin spokesman, said: ‘Once again, I can reject these accusations and once again I want to remind you that it was President [Vladimir] Putin who proposed that the American side agree and conclude agreements [with Russia] on cyber security.’
How hackers used legitimate software updates as camouflage for the ‘SUNBURST’ attack
The U.S. Cybersecurity and Infrastructure Security Agency on Thursday released an alert detailing what it knows about the breach, which has been called the biggest in U.S. history.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
CISA said that once inside a network, the hackers seemed focused on gathering information, and would frequently target the emails of IT and security staff to monitor any countermeasures.
Without offering further details, the agency warned that the hackers used ‘other initial access vectors beyond SolarWinds Orion,’ meaning even groups that do not use the network software could be compromised.