As the United States comes to grips with a far-reaching Russian cyberattack on federal agencies, private corporations and the nation’s infrastructure, new evidence has emerged that the hackers hunted their victims through multiple channels.
The most significant intrusions discovered so far piggybacked on software from SolarWinds, the Austin, Texas-based company whose updates the Russians compromised. But new evidence from the security firm CrowdStrike suggests that companies that sell software on Microsoft’s behalf were also used to break into customers of Microsoft’s Office 365 software.
Because resellers are often entrusted to set up and maintain clients’ software, they — like SolarWinds — have been an ideal front for Russian hackers and a nightmare for Microsoft’s cloud customers, who are still assessing just how deep into their systems Russia’s hackers have crawled.
“They couldn’t get into Microsoft 365 directly, so they targeted the weakest point in the supply chain: the resellers,” said Glenn Chisholm, a founder of Obsidian, a cybersecurity firm.
CrowdStrike confirmed Wednesday that it was also a target of the attack. In CrowdStrike’s case, the Russians did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack.
The approach is not unlike the 2013 attack on Target in which hackers got in through the retailer’s heating and cooling vendor.
The latest Russian attacks, which are thought to have begun last spring, have exposed a substantial blind spot in the software supply chain. Companies can track phishing attacks and malware all they want, but as long as they are blindly trusting vendors and cloud services like Microsoft, Salesforce Google’s G-Suite, Zoom, Slack, SolarWinds and others — and giving them broad access to employee email and corporate networks — they will never be secure, cybersecurity experts say.
“These cloud services create a web of interconnections and opportunity for the attacker,” Chisholm said. “What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need 2021 defenses.”
Some reports have confused the latest development with a breach of Microsoft itself. But the company said it stood by its statement last week that it was not hacked, nor was it used to attack customers.
But the CrowdStrike discovery shows how the Russian hackers used its resellers to target its customers indirectly. CrowdStrike said in a blog post Wednesday that hackers tried to read the company’s emails from a reseller account but were not able to gain access to its data or systems.
U.S. officials did not detect the attack until recent weeks, and then only when a private cybersecurity firm, FireEye, alerted U.S. intelligence that the hackers had evaded layers of defenses.
It was evident that the Treasury and Commerce departments, the first agencies reported to be breached, were only part of a far larger operation whose sophistication stunned even experts who have been following a quarter-century of Russian hackings on the Pentagon and American civilian agencies.
The National Security Agency — the premier U.S. intelligence organization that both hacks into foreign networks and defends national security agencies from attacks — apparently did not know of the breach in the network-monitoring software made by SolarWinds until it was notified last week by FireEye. The National Security Agency itself uses SolarWinds software.
Two of the most embarrassing breaches came at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the U.S. election system last month.
The Russian hackers behind the attack broke into the email system used by top officials at the Treasury Department in July.
Computers at at least two dozen organizations — including Cisco, Intel, Nvidia, Deloitte and the California Department of State Hospitals — appear to have been hacked, The Wall Street Journal reported. Some of the groups, like Intel and Deloitte, said the attack did not affect their most delicate systems.