A months-long global cyberespionage campaign that penetrated U.S. government agencies and involved a common software product used by thousands of organizations has left governments and major corporations scrambling to see if they too were victims of an attack.
The hack began as early as March when malicious code was snuck into updates to popular software that monitors the computer networks of businesses and governments. The malware, affecting a product made by U.S. company SolarWinds, gave elite hackers remote access into an organization's networks so it could steal information.
It wasn't discovered until the prominent cybersecurity company FireEye learned it was hacked. Whoever broke into FireEye was seeking data on its government clients, the company said. The hackers made off with tools it uses to probe its customers' defenses.
Cybersecurity investigators said the hack's effects extend far beyond the affected U.S. agencies, which include the Treasury and Commerce departments, though they haven't disclosed which companies or what other governments were targeted.
"There's no evidence that this was meant to be destructive," said Ben Buchanan, Georgetown University cyberespionage expert and author of "The Hacker and The State." He called the campaign's scope, "impressive, surprising and alarming."
SolarWinds, of Austin, Texas, provides network-monitoring and other technical services to hundreds of thousands of organizations around the world, including most Fortune 500 companies and government agencies in North America, Europe, Asia, and the Middle East.
Its compromised product, called Orion, accounts for nearly half SolarWinds' annual revenue. Its centralized monitoring looks for problems in an organization's computer networks, which means that breaking in gave the attackers a "God-view" of those networks.
SolarWinds, whose stock fell 17% on Monday, said in a financial filing that it sent an advisory to about 33,000 of its Orion customers that might have been affected, though it estimated that fewer than 18,000 had actually installed the compromised product update earlier this year.
Neither SolarWinds nor U.S. cybersecurity authorities have publicly identified which organizations were breached. Just because a company or agency uses SolarWinds as a vendor doesn't necessarily mean they were vulnerable to the hacking. The malware that opened remote-access backdoors was injected into SolarWinds' Orion product updates released between March and June, but not every customer installed them.
SolarWinds said it was advised that an "outside nation state" infiltrated its systems with malware. Neither the U.S. government nor the affected companies have publicly said which nation state they think is responsible. Russia, the prime suspect according to many security experts, said Monday it had "nothing to do with" the hacking.
"Once again, I can reject these accusations," Kremlin spokesman Dmitry Peskov told reporters. "If for many months the Americans couldn't do anything about it, then, probably, one shouldn't unfoundedly blame the Russians for everything."
Buchanan said the "operational tradecraft" seems extremely good. The hackers were "experienced and capable, adept at finding a systemic weakness and then exploiting it quietly for months." Supporting the consensus in the cyberthreat analysis community that Russians are responsible are the tactics, techniques, and procedures used, which bear their digital fingerprints, said Brandon Valeriano, a Marine Corps University technology scholar.
An advisory issued by Microsoft, which assisted FireEye in the hack response, said it had "delivered more than 13,000 notifications to customers attacked by nation-states over the past two years and observed a rapid increase in (their) sophistication and operational security capabilities."
The Associated Press contributed to this report.