The suspected Russian hackers behind breaches at U.S. government agencies also gained access to major U.S. technology and accounting companies, at least one hospital and a university, a Wall Street Journal analysis of internet records found.
The Journal identified infected computers at two dozen organizations that installed tainted network monitoring software called SolarWinds Orion that allowed the hackers in via a covertly inserted backdoor. It gave them potential access to scores of sensitive corporate and personal data.
Among them: technology giant Cisco Systems Inc., chip makers Intel Corp. and Nvidia Corp., accounting firm Deloitte LLP, cloud-computing software maker VMware Inc. and Belkin International Inc., which sells home and office Wi-Fi routers and networking gear under the LinkSys and Belkin brands. The attackers also had access to the California Department of State Hospitals and Kent State University.
The victims offer a small window into the sweeping scope of the hack, which could have ensnared as many as 18,000 of Austin-based SolarWinds Corp.'s customers, the company said, after hackers laced a routine software update with malicious code.
SolarWinds said that it traced activity from the hackers back to at least October 2019 and that it is now working with security companies, law enforcement and intelligence agencies to investigate the attack.
Cisco confirmed in a statement that it found the malicious software on some employee systems and a small number of laboratory systems. The company is still investigating. "At this time, there is no known impact to Cisco offers or products," a company spokesman said.
Intel downloaded and ran the malicious software, the Journal's analysis found. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company's network, a spokesman said.
Deloitte, infected in late June according to the Journal's analysis, said in a statement it "has taken steps to address" the malware but hasn't "observed indications of unauthorized access to our systems at this time."
VMware said it found "limited instances" of the malicious software in its systems, but its "internal investigation has not revealed any indication of exploitation," a spokesman said.
Belkin said in an email that it removed the backdoor immediately after federal officials issued an alert last week. "There has been no known negative impact identified to date," a company spokeswoman said.
A Kent State University spokeswoman said the school "was aware of the situation and are evaluating this serious matter."
The California Department of State Hospitals installed the backdoor by early August, according to the Journal's analysis. State officials are working with federal and state agencies to address the impact of the SolarWinds backdoor, according to a spokesman for California's Governor's Office of Emergency Services, who declined to comment on specific agencies affected.
A Nvidia spokesman said in a statement the company has "no evidence at this time that Nvidia was adversely affected and our investigation is ongoing."
The Journal gathered digital clues from victim computers collected by threat-intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some of the servers that downloaded the malicious code. In some cases, the analysis led to the identity of compromised organizations and showed when the code was likely activated -- indicating that the hackers had access.
It isn't yet known what the hackers did inside the various organizations, or if they even used the backdoors for many of the companies. But investigators and security experts say that besides internal communications and other government secrets, hackers may have sought emails of corporate executives, files about sensitive technologies under development, and other ways to compromise more systems later.
The uncertainty has left SolarWinds' customers -- which include major technology companies, more than 400 Fortune 500 companies and many government agencies -- scrambling to determine the fallout and whether the hackers remain inside.
The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on -- an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.
Government agencies and cybersecurity experts are still working to piece together the massive suspected espionage operation. At least six federal agencies, including the departments of State, Homeland Security, Commerce and Energy, were hacked as part of the campaign.
The Cybersecurity and Infrastructure Security Agency last week published an alert that said the hack was "grave" and ongoing. SolarWinds has released an update that closes the backdoor, and Microsoft Corp. has taken control of part of the hackers' infrastructure to prevent the attack from spreading.
Federal investigators have concluded that the Russian government is likely responsible for the hack in part because of the level of skill involved. Several senators who have received briefings in recent days have openly referred to it as a Russian operation. And on Friday Secretary of State Mike Pompeo became the first Trump administration official to publicly blame Moscow, although President Trump in a tweet Saturday suggested without evidence that China could be responsible.
Moscow has denied responsibility.
"Customers are definitely freaking out," said David Kennedy, whose company, TrustedSec LLC, is investigating the hack. For many companies the concern is whether the attackers stole data or remain undetected within corporate networks, he said. What's more, because the attack dates back many months, some companies may no longer have the forensic data needed to do a complete investigation.
"If this is indeed SVR, as we believe it is, those guys are incredibly hard to kick out of networks," said Dmitri Alperovitch, a cybersecurity expert and co-founder of the Silverado Policy Accelerator think tank, referring to the Russian Foreign Intelligence Service.
Some organizations that maintain better records of activity on their systems will likely be able to determine whether somebody walked through the Russian backdoor onto their networks, said Mr. Alperovitch, who also co-founded cybersecurity firm CrowdStrike Holdings Inc. But for others, especially smaller or medium-size firms, it will be a difficult and expensive task that many are likely to ignore -- meaning Russia could maintain a presence in some networks indefinitely.
"They probably are just going to remove the backdoor and move on," Mr. Alperovitch said.
For many corporate victims, the looming fear now is that the hackers could use them as an avenue to get to their clients. For example, Microsoft found in research released Thursday that nearly half its more than 40 customers hit in the attack were information technology service companies, which often have broad access to their customers' networks.
Microsoft, itself a SolarWinds customer, said last week it had also detected malicious software related to the hack on its own network but "no indications that our systems were used to attack others," a company spokeswoman said. The company's investigation continues.