As the United States tackles a large-scale Russian cyberattack on federal agencies, private businesses and the country’s infrastructure, new evidence has emerged that hackers have hunted their victims through multiple channels.
The most significant intrusions discovered so far have relied on software from SolarWinds, the Austin-based company whose updates have been compromised by the Russians. But new evidence from security firm CrowdStrike suggests that companies selling software on Microsoft’s behalf have also been used to penetrate customers of Microsoft’s Office 365 software.
Because resellers are often responsible for configuring and maintaining customer software, they – like SolarWinds – have been an ideal front for Russian hackers and a nightmare for Microsoft’s cloud customers, who always value how badly hackers are. Russians have explored their systems.
“They couldn’t get directly into Microsoft 365, so they targeted the weakest point in the supply chain: resellers,” said Glenn Chisholm, founder of Obsidian, a cybersecurity company.
CrowdStrike confirmed on Wednesday that it was also the target of the attack. In the case of CrowdStrike, the Russians did not use SolarWinds but a Microsoft reseller and the attack failed. CrowdStrike spokeswoman Ilina Dimitrova declined to expand beyond a corporate blog post describing the attempted attack.
The approach is no different from the 2013 attack on Target in which hackers entered through the retailer’s heating and air conditioning supplier.
The latest Russian attacks, believed to have started last spring, have revealed a substantial blind spot in the software supply chain. Businesses can track phishing and malware attacks as much as they want, but as long as they blindly trust vendors and cloud services like Microsoft, Salesforce’s G-Suite, Google, Zoom, Slack, SolarWinds and others, and give them broad access to employee and corporate email. networks – they’ll never be secure, say cybersecurity experts.
“These cloud services create a network of interconnections and opportunities for the attacker,” Mr. Chisholm said. “What we’re seeing right now is a new wave of modern attacks on these modern cloud platforms, and we need 2021 defenses.”
Some reports have confused the latest development with a breach by Microsoft itself. But the company said it stands by its statement from last week that it had not been hacked or used to attack customers.
But the CrowdStrike discovery shows how Russian hackers used its resellers to indirectly target its customers. CrowdStrike said in a blog post on Wednesday that hackers attempted to read the company’s emails from a reseller account, but were unable to access its data or systems.
U.S. officials only detected the attack in recent weeks, and it wasn’t until a private cybersecurity firm, FireEye, alerted U.S. intelligence services that hackers had evaded layers of defense.
It was evident that the Treasury and Commerce Departments, the first agencies reported to have been breached, were only part of a much larger operation whose sophistication stunned even experts who followed a quarter of a century of Russian hacks on the Pentagon and US civilian agencies.
The National Security Agency – the first U.S. intelligence organization to both hack foreign networks and defend national security agencies against attacks – apparently did not know about the breach of network monitoring software created by SolarWinds until ‘it was notified last week by FireEye. The National Security Agency itself uses the SolarWinds software.
Two of the most embarrassing breaches have occurred at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the US electoral system last month.
Russian hackers behind the attack broke into the messaging system used by senior Treasury Department officials in July.
The computers of at least two dozen organizations – including Cisco, Intel, Nvidia, Deloitte and California State Department hospitals – appear to have been hacked, the Wall Street Journal reported. Some groups, such as Intel and Deloitte, said the attack did not affect their most delicate systems.