Microsoft has said the UK and six other countries outside the US have been affected by a suspected Russian hacking attack that US authorities have warned poses a grave risk to government and private networks.
Brad Smith, Microsoft’s chief legal counsel, said the company had uncovered 40 customers, including government agencies, thinktanks, NGOs and IT companies, who were “targeted more precisely and compromised” after the hackers had gained initial access earlier this year.
Eighty per cent were in the US, including, it is feared, agencies responsible for the US nuclear weapons stockpile. But the remainder were spread out across other countries.
“This includes Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East,” Smith said. “It’s certain that the number and location of victims will keep growing.”
Russian hacker groups are often linked to the country’s intelligence agencies, and US officials have privately blamed the attack on Cozy Bear, a group accused of trying to steal coronavirus vaccine secrets earlier this year.
The attack occurred when an updated popular IT network management tool called Orion, made by SolarWinds, was compromised from March this year. Around 18,000 customers installed the compromised update, many of whom were in the US federal government.
Of these, at least 40 were then selected by the attackers for further exploitation, including the US Treasury and Department of Commerce, where emails are thought to have been read, and the National Telecommunications and Information Administration.
Microsoft said it had been able to map some of the impact of the SolarWinds attack because it has been brought in by clients to assist using its antivirus software. It admitted it too had fallen victim to the attack, although it said it had not found “evidence of access to production services or customer data”.
It emerged overnight that the US National Nuclear Security Administration, which maintains the US nuclear weapons stockpile, had evidence that hackers accessed its networks. The NNSA also supplies some nuclear technology to the UK.
The FBI is expected to hold a classified briefing for members of Congress on Friday about the growing impact of the attack, which is potentially the most serious faced by the US government in its history.
Smith said the attack represented “a broad and successful espionage-based assault on both the confidential information of the US government and the tech tools used by firms to protect them.”
But it also had global ramifications, he said, creating a vulnerability in the technology supply chain “of nearly global importance, reaching several major national capitals outside Russia.”
A map produced by Microsoft showed where the hackers’ malware had been picked up by users of its Microsoft Defender antivirus software, with evidence of penetration in a range of countries including China but excluding Russia.
“This is not ‘espionage as usual’, even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” Smith said.
Russia denies responsibility for the attack. In a statement posted on Facebook this week the Russian foreign ministry described the allegations as “another unfounded attempt” by the US media to blame Russia for cyber-attacks against US agencies.
On Thursday the president-elect, Joe Biden, said the US needed to better “disrupt and deter our adversaries” and said he expected to work closely with “allies and partners” in preventing Russian attacks.
This marked a change in tone from Donald Trump’s outgoing administration. Trump was reluctant to criticise the Kremlin and its spy agencies, which were accused of hacking and leaking the contents of the Democratic party’s email server in the run-up to the 2016 election campaign.
Microsoft called on the incoming Biden administration to improve cybersecurity intelligence-sharing across the US government and between the country’s allies.
It also asked for the new president to appoint a national cybersecurity director. The most senior individual previously responsible, Chris Krebs, was fired by Trump as director of the Cybersecurity and Infrastructure Security Agency in November after he rejected the president’s election conspiracy theories.
This week Jeremy Fleming, the head of the UK spy agency GCHQ, said the organisation was “working at pace” to understand what the implications of the SolarWinds attacks were for the British government and private companies. There has been no substantive update from him.