Suspected Russian Hackers Targeted Sensitive Communications

The suspected Russian hackers that attacked U.S. companies and government agencies were interested in accessing “sensitive but unclassified communications” mostly stored on Microsoft Corp. products, according to the U.S. Department of Homeland Security’s top cybersecurity official.

Brandon Wales, the acting director of DHS’s Cybersecurity and Infrastructure Security Agency, said in a speech on Wednesday that the massive hacking operation was believed to be “a long-term intelligence gathering operation” that was largely designed to compromise and gain access to the communications “primarily housed online in Microsoft Office 365 cloud environments from its victims.”

Wales’s comments provided new detail into an attack that was first disclosed in December. The hackers, who U.S. officials believe are associated with the Russian government, inserted malicious code into widely used software from Texas-based SolarWinds Corp. in order to break into company and government networks. SolarWinds has said that as many as 18,000 customers received an update containing the malicious code though it is believed that a relatively small fragment were targeted for further infiltration by the hackers.

In addition, the hackers used other means besides SolarWinds’s software to breach victims’ computers. Wales has previously said that about 30% of private-sector and government victims didn’t run the affected SolarWinds’s software, according to the Wall Street Journal.

“SolarWinds was one of the ways in which the adversary was able to gain access to networks but it was not the only mechanism,” Wales said in his speech on Wednesday. “They used a variety of other, in some cases more traditional tools, cyber-attacks, like password spraying and brute force attacks and then some other ways of targeting through resellers and manged service providers.”

SolarWinds Chief Executive Officer Sudhakar Ramakrishna said in a Wednesday blog post that hackers compromised the company’s Office 365 environment. “While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365,” he wrote.

Targets of the suspected Russian attack have included the departments of State, Treasury, Homeland Security, Commerce and Energy. The hackers also broke into the Department of Justice’s email system and potentially accessed about 3% of the Office 365 mailboxes in use. A representative for Microsoft Corp. didn’t immediately respond to a request for comment.

The cyber-attack “is a primary area of focus for the agency and our federal partners right now and will likely to continue to be so for several month to come,” Wales said.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.