The alleged Russian hacking campaign zeroed in on more than 40 organizations, Microsoft’s president said Thursday.
The campaign, which U.S. officials think is the work of Russian intelligence, started in March, though it was discovered only last week, and has torn into multiple federal agencies.
A multi-agency statement described it this week as “ongoing,” leaving open the question of how many organizations were compromised and to what extent.
Microsoft’s statement is the first to provide a detailed view of how severe the hack is. While the company doesn’t have total visibility into the hacking campaign, it has important insight, because of governments and corporations’ use of Windows and its antivirus software.
In a blog post Thursday evening, the company’s president, Brad Smith, said that of the more than 40 organizations it had identified as having been significantly impacted, 80 percent were in the U.S., but there were also victims in Belgium, Canada, Israel, Mexico, Spain, the U.A.E. and the United Kingdom.
While many victims were government agencies, companies that contract with governments or think tanks and information and technology companies were also badly hit, Microsoft believed.
The span of the campaign is not known because it had the opportunity to affect a wide set of victims.
The hackers were able to get inside organizations by first breaking into SolarWinds, a relatively unknown technology company in Austin, Texas, that has a number of U.S. government agencies and major corporations as customers. In March, the hackers were able to send poisoned software updates to all SolarWinds customers who used versions of its popular Orion platform, giving them a foothold into victims’ systems.
In a Monday filing with the Securities and Exchange Commission, SolarWinds revealed that approximately 33,000 customers likely downloaded the contaminated software update, though it estimated the actual number of victims as “fewer than 18,000.”
Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike and chair of the Silverado Policy Accelerator, said in a previous interview that an intelligence agency wouldn’t be able to fully exploit that many victims and instead would have to settle on the most valuable targets.
“The good news here, if you want to look for a silver lining, is no intelligence agency has enough human power to go after everyone,” Alperovitch said Monday.
“That’s the good news. The bad news is they had nine months to cherry-pick and go after the best of the best.”
Most of the hacked organizations are still unknown. Three major targets have admitted to being victim: the U.S. departments of Commerce and Energy and the cybersecurity company FireEye, which was the first to report it. A number of other organizations have been reported as victims but have not shown up to confirm.
SolarWinds had maintained a list of more than 100 major government and business customers on its website, though it removed that page Monday. None of those organizations admitted to being hacked, though a number of them said they were still evaluating.