The alleged Russian hacking campaign that has swept the US government has been reduced to more than 40 organizations, the president of Microsoft said on Thursday.
The campaign, which US officials believe is the work of Russian intelligence, began at least as early as March, although it was discovered only last week and split into several federal agencies.
A multi-agency statement described it this week as “ongoing”, leaving open the question of how many organizations were compromised and how stupid.
The Microsoft statement is the first to provide a detailed estimate of the extent of the hack. Although the company does not have full visibility into the hacking campaign, it has a significant perspective due to the use by governments and corporations of Windows and its antivirus software, Defender.
In a blog post on Thursday night, the company’s president, Brad Smith, said that of the more than 40 organizations he identified as being significantly affected, 80% were in the United States, but there were also victims in Belgium. Canada, Israel, Mexico, Spain, the United Arab Emirates and the United Kingdom.
While many victims were government agencies, companies that contract with governments or think tanks and information and technology companies were also frequently affected, Microsoft found.
The breadth of the campaign was an open question, as it had the opportunity to infect an amazingly wide range of victims.
Hackers managed to break into organizations by first joining SolarWinds, a relatively obscure technology company in Austin, Texas, which considers a number of US government agencies and large corporations to be clients. In March, hackers managed to send poisoned software updates to all SolarWinds customers who used versions of its popular Orion platform, giving them a foothold in victims’ systems.
In a filing with the Securities and Exchange Commission on Monday, SolarWinds said about 33,000 customers had probably downloaded the malicious software update, although it estimated the actual number of victims to be “less than 18,000.”
However, US experts and officials widely believed that Russia would allocate resources only to hacking and stealing information from a more organized list of organizations.
Dmitry Alperovitch, co-founder of cybersecurity company CrowdStrike and chairman of the Silverado Policy Accelerator, said in a previous interview that an intelligence agency could not fully exploit that many victims and, instead, should settle on the most valuable targets.
“The good news here, if you want to look for a silver lining, is that no intelligence agency has enough human power to go after everyone,” Alperovitch said Monday.
“It simply came to our notice then. The bad news is that they had nine months to pick cherries and follow the best of the best. “
Most pirated organizations are still unidentified. Three major targets have admitted to being infected: the US Department of Commerce and Energy and the cyber security company FireEye, which was the first to report it. A number of other organizations were reported as victims, but did not show up to confirm.
SolarWinds maintained a list of more than 100 prominent government and business customers on its website, although it removed that page on Monday. None of these organizations acknowledged that it was hacked, although some of them said they were still investigating or did not respond to requests for comment.
Rich Gardella and Ken Dilanian contributed.