Microsoft said Thursday that dozens of its customers, including firms in Israel and the United Arab Emirates, were targeted as part of the massive cyber-assault on US government institutions that was uncovered this week.
The tech giant called for a “global cybersecurity response” following the attack, and singled out Israel’s private sector as a potential source of threats.
The hacking attack has been linked to Russia and hit numerous US government agencies, including the country’s nuclear weapons stockpile, according to a Thursday report.
One US official said the assault was “looking like it’s the worst hacking case in the history of America.”
Microsoft said in a blog post on Thursday said the incident was “effectively an attack on the United States and its government and other critical institutions.”
The company said its own cybersecurity experts were assisting in the response to the attack, which was ongoing and “remarkable for its scope, sophistication and impact.”
The attack was carried out through software by a third-party network management firm based in Texas called SolarWinds. The company’s software was used by the attackers to infiltrate other computer networks undetected. Microsoft said its investigation had identified dozens of its own customers that had installed the malware and been targeted by the attackers.
“The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion,” the company said.
At least 40 of its customers were targeted and compromised, Microsoft said. Eighty percent of the targets were in the US, but the company has so far identified victims in seven other countries — Israel, the UAE, Canada, Mexico, Belgium, Spain and the UK.
The statement did not provide details on the identity of the victims, but said it included government agencies, information technology firms, non-governmental organizations, government contractors and others. It said the number and locations of the known targets will increase as the investigation continues, and that Microsoft was notifying its customers that were hit.
The company said in its statement that it had located the malicious software in its own systems, but had not found any indications of damage.
Microsoft’s statement, attributed to company president Brad Smith, was framed as a call for a strong, global cybersecurity response, highlighting the increasing threat of cyberwarfare worldwide.
“This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” Microsoft said.
“It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”
The statement singled out Israel’s private sector, and the Israeli company NSO Group, as potential threats. It said NSO Group was illustrative of a new, evolving threat of privatized cybersecurity attacks “akin to 21st-century mercenaries.”
The company is accused of developing software that governments used to spy on their citizens, including journalists and human rights activists.
“NSO represents the increasing confluence between sophisticated private-sector technology and nation-state attackers,” the Microsoft statement said.
It called for the incoming Biden administration to take a stance against the NSO Group in a US court case against the company.
The statement said the US should pursue discussions with other countries that are giving rise to offensive private sector actors, highlighting Israel, “which has a strong cybersecurity ecosystem that can be drawn into dangerous support of authoritarian regimes.”
Earlier Thursday, US federal authorities expressed increased alarm about the intrusion into US and other computer systems around the globe in the assault that officials suspect was carried out by Russian hackers. The nation’s cybersecurity agency warned of a “grave” risk to government and private networks.
The US Cybersecurity and Infrastructure Security Agency (CISA) said the intrusion had compromised federal agencies as well as “critical infrastructure” in a sophisticated attack that was hard to detect and will be difficult to undo.
CISA did not say which agencies or infrastructure had been breached or what information taken in an attack that it said appeared to have begun in March.
The attack was first uncovered by the US cybersecurity firm FireEye.
US officials told the Politico news site that the attack in the US hit systems of the US Energy Department and National Nuclear Security Administration.
It was not immediately clear whether the hackers had been able to access any data on those networks, and if so, what information had leaked.
The hack, if authorities can indeed prove it was carried out by a nation such as Russia as experts believe, creates a fresh foreign policy problem for US President Donald Trump in his final days in office.
Trump, whose administration has been criticized for eliminating a White House cybersecurity adviser and downplaying Russian interference in the 2016 presidential election, has made no public statements about the breach.
Over the weekend, amid reports that the Treasury and Commerce departments were breached, CISA directed all civilian agencies of the federal government to remove SolarWinds from their servers. The cybersecurity agencies of Britain and Ireland issued similar alerts.
A US official told The Associated Press that Russia-based hackers were suspected, but neither CISA nor the FBI has publicly said who is believed to be responsible. Asked whether Russia was behind the attack, the official said: “We believe so. We haven’t said that publicly yet because it isn’t 100% confirmed.”
Another US official, speaking Thursday on condition of anonymity to discuss a matter that is under investigation, said the hack was severe and extremely damaging although the administration was not yet ready to publicly blame anyone for it.
“This is looking like it’s the worst hacking case in the history of America,” the official said. “They got into everything.”
The official said the administration is working on the assumption that most, if not all, government agencies were compromised but the extent of the damage was not yet known.
The intentions of the perpetrators appear to be espionage and gathering valuable information rather than destruction, according to security experts and former government officials.
Among the business sectors scrambling to protect their systems and assess potential theft of information are defense contractors, technology companies and providers of telecommunications and the electric grid.