Kartikay Mehrotra and Alyza Sebenius (Bloomberg) -- Whether it was opportunity, strategy or sheer chutzpah, the suspected Russian hackers behind a massive cyber-attack revealed last month focused particular attention on technology companies, including cybersecurity firms entrusted to find malicious activity in their clients’ networks.
Four cybersecurity companies announced this week that they had been targeted as part of the attack, adding to a list of at least eight other tech companies that the hackers tried to breach. Many of the companies said they successfully blocked the attackers, but some others acknowledged that their networks were infiltrated.
The hackers may have focused on technology and cybersecurity companies simply because, after government agencies, they were the next best targets. For hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they so desperately wish to exploit, said Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future Inc.
Also, cybersecurity and technology companies often have remote access to customers’ computer networks, potentially giving hackers entry to their clients and partners. Such digital supply chain hacks are an efficient method to corral hundreds, if not thousands, of potential victims, Liska said.
“If you can compromise security infrastructure, you essentially have the keys to the kingdom and can run around undetected,” he said. “And we’re dealing with an advanced adversary who’s looking for this kind of access.”
In the case of SolarWinds Corp., for instance, the hackers installed malware in its Orion software, which is used by government agencies and Fortune 500 companies. The Texas-based firm said that as many as 18,000 customers may have received the malicious code in software updates, though far fewer are believed to have been subject to further attacks from the hackers.
In addition, the hackers targeted at least one reseller of Microsoft Corp.’s Office 365 tools, likely by digging up login credentials and then compromising the resellers’ clients, cybersecurity experts say. The suspected Russian attackers used those tactics to target the cybersecurity company Crowdstrike, which wasn’t ultimately breached.
The cyber-research firm Malwarebytes Inc. was also targeted after a third-party application that protects its Office 365 email was hacked, and the hackers gained access to a “limited subset of internal company emails,” Malwarebytes said.
There’s not yet any evidence that cybersecurity companies were a launching point for a broader attack, only that the Russian adversary attempted to do so.
”This is a persistent, sophisticated attack that requires organizations to look carefully at the supply chain of their IT infrastructure, which cybersecurity is a part of,” said Ryan Gillis, vice president for cybersecurity strategy and global policy at Palo Alto Networks Inc. “When you look at the consequences, from that we’ve seen so far, everything points back to the IT supply chain.”
Hacking into cybersecurity companies also provides attackers with advantages when launching further attacks, potentially providing them with detection tools or source code that they can use to avoid being caught, according to cybersecurity experts.
“If I am trying to break into your house, the best way to go through is to disable cameras, electronic clocks; this will give me a tactical advantage,” said Alex Holden, founder and chief information security officer at Hold Security. “Knowing how to evade detection in cyber is almost the entire battle. If they have the detection tools in their pocket, they’ve taken our safeguards to use against us.”
Mimecast Ltd., an email security provider, said Tuesday that hackers had turned one of its security tools against it to view its customers’ Microsoft 365 accounts. Fidelis Cybersecurity Inc. said that the company is investigating evidence that it might have been targeted. Another cybersecurity company, Qualys Inc. was also targeted but said in a statement that “there was no impact on our production environment nor exfiltrated data.”
Palo Alto Networks said it was targeted by the same hackers in October but successfully stopped the attacks.
The hack was disclosed in December by the cybersecurity company FireEye Inc., which itself was attacked. About 10 U.S. government agencies were infiltrated as part of the attack, including the departments of Justice, Treasury and Homeland Security. Among the other technology companies that were targeted for further attacks were Microsoft and Cisco Systems Inc. U.S. officials have said they believe hackers associated with the Russian government are behind the attack.
The attack isn’t the first time that cybersecurity firms were compromised by hackers. In 2011, for instance, EMC Corp.’s RSA unit was breached, and two years later, the security firm Bit9 revealed that it had been hacked. Juniper Networks Inc. said it too was compromised in 2015.
Even so, trying to target cybersecurity companies comes with its own perils. After all, the alleged Russian hackers could still be roaming undetected through U.S. government networks, and those of various companies, if they hadn’t decided to break into FireEye’s computers.
“Attackers are getting more sophisticated, and pursuing persistence over time instead of smash and grab techniques,” said Jim Jaeger, a former U.S. Air Force brigadier general who is now president and chief cyber strategist at the cyber investigations firm Arete Advisors LLC. “Now they’re aspiring to use cybersecurity tools to get inside our networks. They’re taking our safeguards and using them against us.”