Enlarge (credit: Drew Angerer | Getty Images )

The hackers behind one of the worst breaches in US history read and downloaded some Microsoft source code, but there’s no evidence they were able to access production servers or customer data, Microsoft said on Thursday. The software maker also said it found no evidence the hackers used the Microsoft compromise to attack customers.

Microsoft released those findings after completing an investigation begun in December, after learning its network had been compromised. The breach was part of a wide-ranging hack that compromised the distribution system for the widely used Orion network-management software from SolarWinds and pushed out malicious updates to Microsoft and roughly 18,000 other customers.

The hackers then used the updates to compromise nine federal agencies and about 100 private-sector companies, the White House said on Wednesday . The federal government has said that the hackers were likely backed by the Kremlin.

Enlarge (credit: Getty Images)

SolarWinds, the previously little-known company whose network-monitoring tool Orion was a primary vector for one of the most serious breaches in US history, has pushed out fixes for three severe vulnerabilities.

Martin Rakhmanov, a researcher with Trustwave SpiderLabs, said in a blog post on Wednesday that he began analyzing SolarWinds products shortly after FireEye and Microsoft reported that hackers had taken control of SolarWinds’ software development system and used it to distribute backdoored updates to Orion customers . It didn’t take long for him to find three vulnerabilities, two in Orion and a third in a product known as the Serv-U FTP for Windows. There's no evidence any of the vulnerabilities have been exploited in the wild.

The most serious flaw allows unprivileged users to remotely execute code that takes complete control of the underlying operating system. Tracked as CVE-2021-25274 the vulnerability stems from Orion’s use of the Microsoft Message Queue, a tool that has existed for more than 20 years but is no longer installed by default on Windows machines.

Enlarge (credit: Gregory Varnum )

The US Justice Department has become the latest federal agency to say its network was breached in a long and wide-ranging hack campaign that’s believed to have been backed by the Russian government.

In a terse statement issued Wednesday, Justice Department spokesman Marc Raimondi said that the breach wasn’t discovered until December 24, which is nine days after the the hack campaign came to light . The hackers, Raimondi said, took control of the department’s Office 365 system and accessed email sent or received from about 3 percent of accounts. The department has more than 100,000 employees.

Investigators believe the campaign started when the hackers took control of the software distribution platform of SolarWinds, an Austin, Texas-based maker of network management software that’s used by hundreds of thousands of organizations. The attackers then pushed out a malicious update that was installed by about 18,000 of those customers. Only a fraction of the 18,000 customers received a follow-on attack that used the backdoored SolarWinds software to view, delete, or alter data stored on those networks.

Enlarge / Side view of colorful St. Basil's Cathedral in Moscow on Red Square in front of the Kremlin, Russia. (credit: Getty Images )

Hackers working for the Russian government were “likely” behind the software supply chain attack that planted a backdoor in the networks of 180,000 private companies and governmental bodies, officials from the US National Security Agency and three other agencies said on Tuesday.

The assessment—made in a joint statement that also came from the FBI, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence—went on to say that the hacking campaign was a “serious compromise that will require a sustained and dedicated effort to remediate.”

Russia, Russia, Russia

The statement is at odds with tweets from US President Donald Trump disputing the Russian government’s involvement and downplaying the severity of the attack, which compromised the software distribution system of Austin, Texas-based SolarWinds and used it to push a malicious update to almost 200,000 of its customers.

Enlarge / The attack hit multiple US agencies—and a full assessment of the damage may still be months away. (credit: Andrew Harrer | Bloomberg | Getty Images )

Last week, several major United States government agencies—including the Departments of Homeland Security, Commerce, Treasury, and State—discovered that their digital systems had been breached by Russian hackers in a months-long espionage operation . The breadth and depth of the attacks will take months, if not longer, to fully understand. But it's already clear that they represent a moment of reckoning, both for the federal government and the IT industry that supplies it.

As far back as March, Russian hackers apparently compromised otherwise mundane software updates for a widely used network monitoring tool, SolarWinds Orion. By gaining the ability to modify and control this trusted code, the attackers could distribute their malware to a vast array of customers without detection. Such "supply chain" attacks have been used in government espionage and destructive hacking before, including by Russia. But the SolarWinds incident underscores the impossibly high stakes of these incidents—and how little has been done to prevent them.

Enlarge (credit: Traitov | Getty Images )

Microsoft was hacked by the same group that compromised the networks of software maker SolarWinds and multiple federal agencies, Reuters reported , citing people familiar with the matter.

Citing the same people, the news service said that Microsoft’s own products were then used in follow-on hacks on others. It wasn’t immediately clear how many Microsoft users were affected or what Microsoft products were used. Microsoft representatives weren’t immediately available for comment.

Microsoft is just one of the recent additions to a rapidly growing list of victims in the wide-ranging and advanced hack that reportedly had the backing of the Russian government. Politico reported that the US Department of Energy and the National Nuclear Security Administration had evidence the same hackers accessed their networks. Bloomberg News said that three unidentified US states were hacked in the same campaign. The Intercept, meanwhile, said the hackers had been inside the city of Austin, Texas, for months .

Enlarge (credit: Getty Images )

The supply chain attack used to breach federal agencies and at least one private company poses a “grave risk” to the United States, in part because the attackers likely used means other than the SolarWinds backdoor to penetrate networks of interest, federal officials said on Thursday.

“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” officials with the Cybersecurity Infrastructure and Security Agency wrote in an alert . “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered.” CISA, as the agency is abbreviated, is an arm of the Department of Homeland Security.

Elsewhere, officials wrote: “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”