As federal authorities and cybersecurity experts rush to identify the full scope of the SolarWinds compromise, the list of known targets grows.
The fallout from the cyberattack on the Texas-based software company appears to be vast, with a slew of powerful U.S. government agencies and businesses seemingly being infected by hackers who are believed to be affiliated with Russia.
SolarWinds says it has identified 18,000 customers potentially affected by the incident, which saw the culprits hijack software updates for a widely-used IT monitoring tool called "Orion" to spread malware, seemingly with the intention of espionage.
The consequences of the brazen cyber-assault, which was first discovered by security firm FireEye after it too was infiltrated by the same group, are yet to be understood. But experts fear the hackers' access could be exploited to steal sensitive information or destroy and falsify government data, and warn it could take years to fix.
While the full list of victims is unclear—and expanding almost daily—Microsoft said its teams had identified more than 40 of its customers the attackers had aimed at "more precisely and compromised through additional and sophisticated measures."
It now seems likely the scope of the victims could be broad. Microsoft said the initial list included security, technology and non-governmental organizations (NGOs) alongside the government targets. It said 80 percent of attacks that it logged were U.S. based.
"This is not 'espionage as usual,' even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world," Brad Smith, president of the U.S. tech giant, wrote on Thursday.
"The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them. The attack is ongoing," the executive continued.
In a now-removed "customers" page on its website, SolarWinds said its software was in use by more than 425 firms on the Fortune 500, all branches of the U.S. military, the Centers for Disease Control and Prevention and more. Outside of the U.S. government, it had listed AT&T, MasterCard, the Gates Foundation, Comcast and more.
Analysis is ongoing to determine which companies were impacted by the hack, as just because an entity used Orion is not evidence that it was actively compromised.
Here is a list of those reportedly impacted so far:
Treasury Department, Commerce Department (Reuters).
On December 13, Reuters reported hackers responsible for the SolarWinds intrusion appeared to have been monitoring internal email traffic tied to the U.S. Treasury and Commerce departments. Officials confirmed a breach and said that it had requested the Cybersecurity and Infrastructure Security Agency (CISA) and FBI investigate.
State Department, Homeland Security, Pentagon (New York Times)
According to The New York Times on December 14, administration officials confirmed that the State Department, Department of Homeland Security and some parts of the Pentagon appeared to have been compromised. Statements from the agencies said they were "aware of the reports" and were "currently assessing the impact."
Department of Energy, Nuclear Security Administration (Politico)
Politico reported December 17 the Energy Department and National Nuclear Security Administration—responsible for overseeing the nuclear weapons stockpile—had some evidence that they were also hacked. The DoE suggested malware had been "isolated to business networks only" and did not impact its national security functions.
Cybersecurity firm FireEye
The company that alerted others to the existence of the cyberattack, U.S. security giant FireEye confirmed on December 8 that it had been infiltrated by a "nation with top-tier offensive capabilities." On December 13, it announced its team had discovered a global intrusion campaign impacting SolarWinds, using a malware called Sunburst.
Technology giant Microsoft? (Reuters)
Microsoft confirmed on December 17 that it had found malicious software in its systems that related to the SolarWinds hack, but denied those systems had been used to attack others. Reuters reported that a source said the hackers used Microsoft's cloud products during the attack while "avoiding Microsoft's corporate infrastructure."
A spokesperson for Microsoft said: "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed.
"We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others," the Microsoft spokesperson, Frank Shaw, added.
— Frank X. Shaw (@fxshaw) December 18, 2020
Even while authorities are yet to officially attribute the attack to a hacking unit, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said on Thursday that it was "aware of compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor beginning in at least March 2020," when referring to the SolarWinds hacking incident.
There was a suggestion that the situation could get worse, with the agency warning it had "evidence of additional initial access vectors, other than... SolarWinds Orion." The agency said it believes the threat "poses a grave risk" to the U.S. government.
The Russian Embassy in the U.S. described the claims as "unfounded attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies."
President Donald Trump has remained silent about the alleged Russia-led cyberattack and its consequences. President-elect Joe Biden, who is set to enter the White House in January 2021, released a statement about the hack on Thursday.
Biden said: "A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. Our adversaries should know... I will not stand idly by in the face of cyber assaults on our nation."
