The worst-ever hack against U.S. government agencies may be even more widespread than originally believed, according to a report from Microsoft released Thursday.
The tech giant, which has helped respond to the breach, revealed it had identified more than 40 government agencies, think tanks, non-governmental organizations and IT companies infiltrated by the hackers. It said four in five were in the United States — nearly half of them tech companies — with victims also in Canada, Mexico, Belgium, Spain, the United Kingdom, Israel and the United Arab Emirates.
Of the targets, nearly 44% are in the IT sector; government agencies make up around 18% of the hacked organizations, with think tanks and government contractors making up 18% and 9%, respectively.
Hackers originally implanted malicious code into SolarWinds’ software updates, a Texas-based company used by a wide range of federal agencies and private companies alike to manage their networks.
In a document filed Monday to the Securities and Exchange Commission, SolarWinds said as many as 18,000 organizations downloaded the corrupted files. While it appears SolarWinds’ customer list was removed from its website in the wake of the hack, multiple outlets have reported the company’s clientele includes at least 425 of the world's Fortune 500 companies and 10 of the nation’s top telecom firms.
The breach, which was only recently discovered, has been underway since at least March of this year. Officials have slowly acknowledged the widespread nature of the attack, so far only confirming that the Department of Energy and Department of Commerce were targeted. The U.S. Departments of Defense, State, Treasury, and Homeland Security have been identified as possible compromised agencies.
Microsoft’s data indicates a much more devastating attack is still underway.
In a stark warning to officials, the company said the breach “is effectively an attack on the United States and its government and other critical institutions, including security firms.”
“As Microsoft cybersecurity experts assist in the response, we have reached the same conclusion,” the statement read in part. “The attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. Government and the tech tools used by firms to protect them.”
“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” the report continued in part. “The attack is ongoing and is being actively investigated and addressed by cybersecurity teams in the public and private sectors, including Microsoft. As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.”
The company itself was among the targets, confirming Thursday evening it found corrupted binaries which were isolated and removed. Microsoft has not yet found any evidence that its customer data was breached, nor has it discovered any indications that the corrupted software was used to attack other systems from within the company. The investigation is ongoing.
Cyber experts believe Russia is behind the attack, although this has not yet been confirmed.
The Russian Foreign Ministry has denied responsibility for the attack, writing in a post on Facebook the allegations are “groundless attempts by the American media to accuse Russia of hacker attacks on US government bodies.”
The Associated Press contributed to this report.