The Russia-linked hackers behind last year’s compromise of a wide swath of the U.S. government and scores of private companies, including SolarWinds Corp. SWI 0.43% , have stepped up their attacks in recent months, breaking into technology companies in an effort to steal sensitive information, cybersecurity experts said.
In a campaign that dates back to May of this year, the hackers have targeted more than 140 technology companies including those that manage or resell cloud-computing services, according to new research from Microsoft Corp. MSFT -0.51% The attack, which was successful with as many as 14 of these technology companies, involved unsophisticated techniques like phishing or simply guessing user passwords in hopes of gaining access to systems, Microsoft said.
“This recent activity is another indicator that Russia is trying to gain long-term, systematic access to a variety of points in the technology supply chain,” said Tom Burt, Microsoft’s corporate vice president for customer security and trust, according to a blog post provided ahead of the announcement by Microsoft on Monday.
Security experts say last year’s SolarWinds incident was concerning because it showed how a compromise at one widely used link in the technology supply chain could be made into a jumping off point for further attacks. After government officials attributed it to Russia’s foreign intelligence service, the Biden administration in April punished Moscow for the attack and other alleged malicious cyber activity with financial sanctions and diplomatic expulsions.
That doesn’t appear to have deterred the hackers. Microsoft says it observed the group linked to the SolarWinds attack targeting 609 companies 22,868 times between July 1 and Oct. 19 of this year. That is more attempts than Microsoft observed from all government-linked hackers in the previous three years, Mr. Burt said.
The intrusion at SolarWinds, which went undiscovered for more than a year, was part of a hacking campaign that gave intruders footholds in at least nine federal agencies and 100 private companies. Microsoft itself and the cybersecurity company FireEye were compromised during the incident.
But not all of the break-ins involved SolarWinds software. Government officials say 30% of the victims didn’t use SolarWinds products.
The hack is regarded as one of the U.S.’s worst intelligence failures in years. Moscow has denied involvement. A representative for the Russian embassy in Washington didn’t immediately respond to a message seeking comment.
The latest disclosure of Russia’s alleged activities comes as the Biden administration has sought to curtail Moscow’s cyber aggression through a variety of means, including ongoing bilateral meetings intended to address a glut of ransomware attacks from Russian cybercriminal gangs on critical American infrastructure and businesses. Officials have offered mixed views on whether Moscow has cracked down on those criminal groups in response to U.S. pressure.
A U.S. government official briefed on Microsoft’s findings said the latest intrusion attempts appeared to be largely routine hacking handiwork from Russia.
“Based on the details in Microsoft’s blog, the activities described were unsophisticated password spray and phishing, run-of-the mill operations for the purpose of surveillance that we already know are attempted every day by Russia and other foreign governments,” the U.S. government official said.
The official said the attempted intrusions “could have been prevented if the cloud service providers had implemented baseline cybersecurity practices, including multifactor authentication,” referring to account features that require verifying a login with a code sent to a phone or other device.
SolarWinds, a seller of network management software, remains unsure of how it was first breached, but company executives and investigators have said that the initial point of entry could have been the same type of unsophisticated techniques that Microsoft has observed in this more recent activity.
Supply chain cybersecurity has drawn unprecedented interest in Washington over the past several months, in part due to the devastating and wide-ranging impact of the SolarWinds compromise. Last week, the U.S. House of Representatives passed a bill 412-2 that would require the Department of Homeland Security to issue guidance to federal contractors asking them to submit details of software in their own supply chains—including origins of technology—to DHS for potential review.
The congressional action follows an executive order signed by President Biden in May, also shaped in part by the SolarWinds breach, that created baseline cybersecurity standards for U.S. agencies and their software contractors, including mandates to use multifactor authentication and data encryption.
“The SolarWinds incident was a turning point for our nation,” Gen. Paul Nakasone, the director of the National Security Agency and U.S. Cyber Command, said at a conference earlier this month, calling it a “significant intrusion by a foreign adversary that was trying to do our nation harm.”
Write to Robert McMillan at [email protected] and Dustin Volz at [email protected]
Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
