By Jack Stubbs and Ryan McNeill
LONDON (Reuters) - Suspected Russian hackers accessed the systems of a U.S. internet provider and a county government in Arizona as part of a sprawling cyber-espionage campaign disclosed this week, according to an analysis of publicly-available web records.
The hack, which hijacked ubiquitous network management software made by SolarWinds Corp to compromise a raft of U.S. government agencies and was first reported by Reuters, is one of the biggest ever uncovered and has sent security teams around the world scrambling to contain the damage.
The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organisations.
A spokesman for Cox Communications said the company was working "around the clock" with the help of outside security experts to investigate any consequences of the SolarWinds compromise. "The security of the services we provide is a top priority," he said.
In emailed comments sent to Reuters, Pima County Chief Information Officer Dan Hunt said his team had followed U.S. government advice to immediately take SolarWinds software offline after the hack was discovered. He said investigators had not found any evidence of a further breach.
Reuters identified the victims by running a coding script released on Friday https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862 by researchers at Moscow-based cybersecurity firm Kaspersky to decrypt online web records left behind by the attackers.
The type of web record, known as a CNAME, includes an encoded unique identifier for each victim and shows which of the thousands of "backdoors" available to them the hackers chose to open, said Kaspersky researcher Igor Kuznetsov.
"Most of the time these backdoors are just sleeping," he said. "But this is when the real hack begins."
The CNAME records relating to Cox Communications and Pima County were included in a list of technical information published https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html by U.S. cybersecurity firm FireEye (NASDAQ:FEYE) Inc, which was the first victim to discover and reveal it had been hacked.
John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decode the CNAME records published by FireEye and found they connected to Cox Communications and Pima County.
The records show that the backdoors at Cox Communications and Pima County were activated in June and July this year, the peak of the hacking activity so far identified by investigators.
It is not clear what, if any, information was compromised.
SolarWinds, which disclosed its unwitting role at the centre of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
As the fallout continued to roil Washington on Thursday, with a breach confirmed at the U.S. Energy Department, U.S. officials warned that the hackers had used other attack methods and urged organisations not to assume they were protected if they didn't use recent versions of the SolarWinds software.
Microsoft (NASDAQ:MSFT), which was one of the thousands of companies to receive the malicious update, said it had currently notified more than 40 customers whose networks were further infiltrated by the hackers.
Around 30 of those customers were in the United States, it said, with the remaining victims found in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates. Most worked information technology companies, as well as some think tanks and government organisations.
"It's certain that the number and location of victims will keep growing," Microsoft President Brad Smith said in a blog post https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye.
"The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion."