As the United States grapples with a far-reaching cyberattack against federal agencies, private corporations, and the country’s infrastructure, new evidence has emerged that hackers hunted their victims through multiple channels.
The most significant intrusions discovered so far were in software from SolarWinds, the Austin-based company whose updates were compromised by hackers. But new evidence from security firm CrowdStrike suggests that companies selling software on behalf of Microsoft were also used to break into customers of Microsoft’s Office 365 software.
Because resellers are often entrusted with the task of configuring and maintaining customers’ software, they, like SolarWinds, have been an ideal front for hackers and a nightmare for Microsoft’s cloud customers, who they are still assessing how deep hackers have gotten into their systems.
“They couldn’t directly access Microsoft 365, so they targeted the weakest point in the supply chain: resellers,” said Glenn Chisholm, founder of Obsidian, a cybersecurity company.
CrowdStrike confirmed Wednesday that it was also a target of the attack. In the CrowdStrike case, the hackers did not use SolarWinds but a Microsoft reseller, and the attack was unsuccessful. A CrowdStrike spokeswoman, Ilina Dimitrova, declined to elaborate beyond a company blog post describing the attempted attack.
The approach is no different than the 2013 attack on Target in which hackers broke into through the retailer’s heating and cooling provider.
The latest cyberattacks, believed to have started last spring, have exposed a substantial blind spot in the software supply chain. Businesses can track phishing and malware attacks all they want, but as long as they blindly trust cloud providers and services like Microsoft, Salesforce, Google’s G-Suite, Zoom, Slack, SolarWinds, and others, and give them a broad access to corporate and employee email. Networks: They will never be secure, say cybersecurity experts.
“These cloud services create a network of interconnections and opportunities for the attacker,” Chisholm said. “What we are witnessing now is a new wave of modern attacks against these modern cloud platforms, and we need defenses in 2021.”
Some reports have mistaken the latest development for a breach by Microsoft itself. But the company said it was standing by its statement from last week that it was not hacked or used to target customers.
But CrowdStrike’s discovery shows how hackers used their resellers to indirectly target their customers. CrowdStrike said in a blog post Wednesday that hackers tried to read the company’s emails from a reseller account, but were unable to access its data or systems.
US officials didn’t detect the attack until recent weeks, and only later when a private cybersecurity company, FireEye, alerted US intelligence that the hackers had evaded layers of defenses.
It was evident that the Departments of the Treasury and Commerce, the first agencies reported as being raped, were just part of a much larger operation whose sophistication surprised even the experts who have been following a quarter-century of attacks on the Pentagon and American civilian agencies.
The National Security Agency, the main American intelligence organization that hacks foreign networks and defends national security agencies from attacks, apparently did not know of the breach in network monitoring software created by SolarWinds until it was notified last week. passed by FireEye. The National Security Agency itself uses SolarWinds software.
Two of the most embarrassing breaches occurred at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the US electoral system last month.
The hackers behind the attack broke into the email system used by senior Treasury Department officials in July.
The computers of at least two dozen organizations, including Cisco, Intel, Nvidia, Deloitte and the California Department of Hospitals, appear to have been hacked, The Wall Street Journal reported. Some of the groups, such as Intel and Deloitte, said the attack did not affect their most sensitive systems.