Solarwinds hack victims: From tech companies to a hospital and university

Fox Business Flash top headlines for December 21

Fox Business Flash top headlines are here. Check out what’s clicking on

The suspected Russian hackers behind breaches at U.S. government agencies also gained access to major U.S. technology and accounting companies, at least one hospital and a university, a Wall Street Journal analysis of internet records found.

Continue Reading Below

The Journal identified infected computers at two dozen organizations that installed tainted network monitoring software called SolarWinds Orion that allowed the hackers in via a covertly inserted backdoor. It gave them potential access to scores of sensitive corporate and personal data.


TickerSecurityLastChangeChange %


A Kent State University spokeswoman said the school "was aware of the situation and are evaluating this serious matter."

The California Department of State Hospitals installed the backdoor by early August, according to the Journal's analysis. State officials are working with federal and state agencies to address the impact of the SolarWinds backdoor, according to a spokesman for California's Governor's Office of Emergency Services, who declined to comment on specific agencies affected.

A Nvidia spokesman said in a statement the company has "no evidence at this time that Nvidia was adversely affected and our investigation is ongoing."

The Journal gathered digital clues from victim computers collected by threat-intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some of the servers that downloaded the malicious code. In some cases, the analysis led to the identity of compromised organizations and showed when the code was likely activated — indicating that the hackers had access.


It isn't yet known what the hackers did inside the various organizations, or if they even used the backdoors for many of the companies. But investigators and security experts say that besides internal communications and other government secrets, hackers may have sought emails of corporate executives, files about sensitive technologies under development, and other ways to compromise more systems later.

The uncertainty has left SolarWinds' customers — which include major technology companies, more than 400 Fortune 500 companies and many government agencies — scrambling to determine the fallout and whether the hackers remain inside.

The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on — an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.

Government agencies and cybersecurity experts are still working to piece together the massive suspected espionage operation. At least six federal agencies, including the departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign.

The Cybersecurity and Infrastructure Security Agency last week published an alert that said the hack was "grave" and ongoing. SolarWinds has released an update that closes the backdoor, and Microsoft Corp. has taken control of part of the hackers' infrastructure to prevent the attack from spreading.

Federal investigators have concluded that the Russian government is likely responsible for the hack in part because of the level of skill involved. Several senators who have received briefings in recent days have openly referred to it as a Russian operation. And on Friday Secretary of State Mike Pompeo became the first Trump administration official to publicly blame Moscow, although President Trump in a tweet Saturday suggested without evidence that China could be responsible.


Moscow has denied responsibility.

"Customers are definitely freaking out," said David Kennedy, whose company, TrustedSec LLC, is investigating the hack. For many companies the concern is whether the attackers stole data or remain undetected within corporate networks, he said. What's more, because the attack dates back many months, some companies may no longer have the forensic data needed to do a complete investigation.

"If this is indeed SVR, as we believe it is, those guys are incredibly hard to kick out of networks," said Dmitri Alperovitch, a cybersecurity expert and co-founder of the Silverado Policy Accelerator think tank, referring to the Russian Foreign Intelligence Service.

Some organizations that maintain better records of activity on their systems will likely be able to determine whether somebody walked through the Russian backdoor onto their networks, said Mr. Alperovitch, who also co-founded cybersecurity firm CrowdStrike Holdings Inc. But for others, especially smaller or medium-size firms, it will be a difficult and expensive task that many are likely to ignore — meaning Russia could maintain a presence in some networks indefinitely.

"They probably are just going to remove the backdoor and move on," Mr. Alperovitch said.


For many corporate victims, the looming fear now is that the hackers could use them as an avenue to get to their clients. For example, Microsoft found in research released Thursday that nearly half its more than 40 customers hit in the attack were information technology service companies, which often have broad access to their customers' networks.

Microsoft, itself a SolarWinds customer, said last week it had also detected malicious software related to the hack on its own network but "no indications that our systems were used to attack others," a company spokeswoman said. The company's investigation continues.

Source: Read Full Article