Whether it was an opportunity, a strategy or pure chutzpah, the suspected Russian hackers behind a massive cyber attack revealed last month that they paid particular attention to technology companies, including cybersecurity companies entrusted to find malicious activity in their customers' networks .
Four cybersecurity companies announced this week that they were the target of the attack, adding to a list of at least eight other tech companies the hackers were trying to break through. Many of the companies said they successfully blocked the attackers, but some others admitted that their networks had been infiltrated.
The hackers may have targeted technology and cybersecurity companies simply because they were the next best targets after government agencies. To hackers, cybersecurity companies represent the gatekeepers guarding the computer networks they are so eager to exploit, says Allan Liska, senior security architect at cybersecurity analytics firm Recorded Future Inc.
Additionally, cybersecurity and technology companies often have remote access to customers' computer networks, potentially allowing hackers to gain access to their customers and partners. Such digital supply chain hacks are an efficient method of rounding up hundreds if not thousands of potential victims, Liska said.
"If you can compromise the security infrastructure, you essentially have the keys to the kingdom and can walk around unnoticed," he said. "And we are dealing with an advanced opponent looking for this kind of entry."
In the case of SolarWinds Corp. For example, the hackers have installed malware in their Orion software, which is used by government agencies and Fortune 500 companies. The Texas-based company said as many as 18,000 customers have received the malicious code in software updates, although far fewer are believed to be victims of further attacks from the hackers.
In addition, the hackers targeted at least one reseller of Microsoft Corp.'s Office 365 tools, likely digging up credentials and then endangering the resellers' customers, cybersecurity experts say. The suspected Russian attackers used those tactics to attack cybersecurity company Crowdstrike, which was ultimately not breached.
The cyber research firm Malwarebytes Inc. was also targeted after a third-party application protecting its Office 365 email was hacked, and the hackers gained access to a "limited subset of internal corporate emails," Malwarebytes said.
There is no evidence yet that cybersecurity firms were a starting point for a broader attack, only that the Russian adversary attempted.
"This is an ongoing, sophisticated attack that requires organizations to carefully review their IT infrastructure supply chain, which includes cybersecurity," said Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto. Networks Inc. "When you look at the impact we've seen so far, everything points back to the IT supply chain."
Hacking cybersecurity companies also benefits attackers in launching further attacks, potentially providing them with detection tools or source code they can use to avoid being caught, cybersecurity experts say.
If I try to break into your house, the best way to go through it is to turn off cameras, electronic clocks; this gives me a tactical advantage, ”said Alex Holden, founder and chief information security officer at Hold Security. “Knowing how to get around cyber detection is almost the whole battle. If they have the detection tools in their pocket, they have taken our precautions to use against us. "
Mimecast Ltd., an email security provider, said on Tuesday that hackers had turned on one of its security tools against him to view its customers' Microsoft 365 accounts. Fidelis Cybersecurity Inc. said the company is investigating evidence that it may have been targeted. Another cybersecurity firm, Qualys Inc., was also targeted, but said in a statement that "there was no impact on our production environment, nor the filtered out data."
Palo Alto Networks said it was targeted by the same hackers in October but successfully stopped the attacks.
The hack was revealed in December by cybersecurity company FireEye Inc., which itself was under attack. About 10 US government agencies were infiltrated as part of the attack, including the Departments of Justice, Treasury and Homeland Security. Among the other technology companies targeted in further attacks were Microsoft and Cisco Systems Inc. US officials have said they believe hackers linked to the Russian government are behind the attack.
The attack isn't the first time cybersecurity companies have been compromised by hackers. For example, in 2011, the RSA unit of EMC Corp. breached and two years later, security company Bit9 revealed it had been hacked. Juniper Networks Inc. also said it was compromised in 2015.
Still, trying to target cybersecurity companies comes with its own dangers. After all, the alleged Russian hackers could still roam unnoticed through US government networks and those of various companies if they had not decided to break into FireEye's computers.
"Attackers are becoming more sophisticated and strive for persistence over time rather than smash and grab techniques," said Jim Jaeger, a former US Air Force brigadier general who is now president and chief cyber strategist at cyber research firm Arete Advisors LLC. "Now they want to use cybersecurity tools to get into our networks. They are taking our precautions and using them against us."
–With the help of Jamie Tarabay.
Copyright 2021 Bloomberg.