LONDON (Reuters) – Suspected Russian hackers have gained access to the systems of a U.S. internet service provider and a county government in Arizona in a massive cyber espionage campaign that came to light this week, according to an analysis by Web documents available to the public.
The hack, which hijacked the ubiquitous network management software created by SolarWinds Corp to compromise a series of U.S. government agencies and was first reported by Reuters, is one of the largest ever uncovered and sent reports Security teams around the world scramble to contain the damage.
The intrusions into the networks of Cox Communications and the local government of Pima County, Arizona, show that alongside the victims, including the US departments of Defense, State and Homeland Security, hackers also spied on less prestigious organizations.
A spokesperson for Cox Communications said the company was working “around the clock” with the help of outside security experts to investigate the consequences of the SolarWinds compromise. “The safety of the services we provide is a top priority,” he said.
In comments emailed to Reuters, Pima County Chief Information Officer Dan Hunt said his team had followed the advice of the US government to immediately take SolarWinds software offline after the hack was discovered. . He said investigators had found no evidence of a new violation.
Reuters identified the victims by running a coding script released here Friday by researchers at Moscow-based cybersecurity firm Kaspersky to decrypt online web records left by attackers.
The type of web recording, known as CNAME, includes a unique identifier encoded for each victim and shows which of the thousands of “backdoors” available to them hackers have chosen to open, Kaspersky researcher Igor said. Kuznetsov.
“Most of the time, those backdoors are just sleeping,” he says. “But that’s when the real hack begins.”
CNAME records relating to Cox Communications and Pima County were included in a list of technical information posted here by US cybersecurity firm FireEye Inc, which was the first victim to discover and reveal that it had been hacked.
John Bambenek, security researcher and chairman of Bambenek Consulting, said he also used the Kaspersky tool to decode CNAME records released by FireEye and found they were connected to Cox Communications and Pima County.
Records show that the Cox Communications and Pima County backdoors were activated in June and July of this year, the peak in hacking activity so far identified by investigators.
It is not clear what information, if any, was compromised.
SolarWinds, which on Monday revealed its unintended role at the center of global hacking, said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by attackers.
As the fallout continued to rock Washington on Thursday, with a violation confirmed by the US Department of Energy, US officials warned hackers had used other methods of attack and urged organizations not to assume that ‘they were protected if they did not use recent versions of the SolarWinds Software.
Microsoft, which was one of thousands of companies to receive the malicious update, said it has currently notified more than 40 customers whose networks were still infiltrated by hackers.
About 30 of those clients were in the United States, he said, with the remaining victims in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates. Most worked in information technology companies, as well as some think tanks and government organizations.
“It is certain that the number and location of victims will continue to increase,” Microsoft President Brad Smith said in a blog post here.
“The installation of this malware allowed attackers to track and choose from among these clients which organizations they wanted to attack more, which appears to have been done in a narrower and more targeted manner.”