Global security teams assess impact of suspected Russian cyber attack

LONDON/WASHINGTON (Reuters) - Global security teams moved on Monday to contain the fallout of a widespread cyberattack by suspected Russian hackers, who have been able to spy on the customers of U.S. information technology company SolarWinds unnoticed for more than eight months.

The U.S. Department of Homeland Security issued an emergency warning on Sunday, ordering users to disconnect and disable SolarWinds software which it said had been compromised by “malicious actors.”

The U.S. warning came after Reuters reported that suspected Russian hackers had used hijacked software updates to break into multiple American government agencies, including the Treasury and Commerce departments.

Russia denied having any connection to the attacks.

The potential scale of the compromise is enormous. SolarWinds boasts 300,000 customers, including the majority of the United States’ Fortune 500 companies, and some of the most sensitive agencies in the U.S. government - including the Pentagon, the National Security Agency, and the White House.

Two people familiar with the investigation told Reuters that any organisation running an updated version of the company’s Orion network management software would have had a “backdoor” installed in their computer systems by the attackers.

“After that, it’s just a question of whether the attackers decide to exploit that access further,” said one of the sources.

However initial indications suggest that the hackers were discriminating about who they chose to break into, according to two people familiar with the wave of corporate cybersecurity investigations being launched Monday morning.

One executive said his company was hunting for SolarWinds-related compromises but had found “surprisingly little.”

“We are seeing some things light up, but not what I would have thought was the market penetration of SolarWinds,” he said.

Another person familiar with a second company’s investigation into the hack said that the hackers appeared mission-focused.

“What we see is far fewer than all the possibilities,” he said. “They are using this like a scalpel.”

SolarWinds has declined to put a figure on the number of customers affected by the breach, but said the attack appeared to be “narrow, extremely targeted, and manually executed.”

Investigators around the world are now scrambling to find out who was hit.

FireEye, a prominent cybersecurity company that was breached in connection with the incident, said in a blog post here that other targets included "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East."

Microsoft said in a blog post here they had first seen malicious copies of the SolarWinds software deployed by the hackers last March.

In Britain, where publicly-available SolarWinds sales documents show multiple government departments use the company’s software, a spokesman for Prime Minister Boris Johnson said investigations were ongoing.

“The National Cyber Security Centre is working to assess any UK impact, but we’re not aware of any UK-related impact at this time,” the spokesman told reporters.

Kremlin spokesman Dmitry Peskov said the allegations reported by Reuters and other media outlets were false.

“If there have been attacks for many months, and the Americans could not do anything about it, it is probably not worth immediately groundlessly blaming the Russians,” he said. “We didn’t have anything to do with it.”

Reporting by Elizabeth Piper and Jack Stubbs in London, Raphael Satter in Washington, and Dmitry Antonov and Gabrielle Tétrault-Farber in Moscow; Editing by Jonathan Oatis