The massive Russian malware attack targeted more than 40 Microsoft customers with “narrower and more focused” measures, the company said, calling it “a broad and successful espionage-based assault.”
Investigators have traced the hack to updates of the Orion technology management software that were released between March and June of this year. Around 18,000 Orion customers installed the compromised update, many of whom are in the U.S. federal government.
But in a blog post, Microsoft President Brad Smith said the software giant had identified and had been working to notify more than 40 customers that “the attackers targeted more precisely and compromised through additional and sophisticated measures.”
Roughly 80% of those customers are located in the U.S., with the rest in seven other countries, including Canada, Mexico, Belgium, Spain, the U.K., Israel, and the UAE. Orion’s manufacturer, SolarWinds, claims to have more than 300,000 customers worldwide, including more than 400 of the Fortune 500.
According to Smith, nearly half of Microsoft’s initial list of victims are in the information technology sector, including software firms, IT services, and equipment providers. “It’s certain that the number and location of victims will keep growing,” he warned.
As CNN reports, “Microsoft’s analysis represents the clearest and most specific assessment yet of the scope of the damage caused by the hacking campaign.”
The hackers reportedly installed malicious code in the periodic automatic updates of the Orion software. Once they were in the software, they were able to break into victims’ Microsoft email servers by forging the authentication tokens that tell the system who should be granted access.
Smith did not specify what additional measures the hackers had taken against some Microsoft customers but he said the malware infiltration “created an opportunity for the hackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion.”
The attack “unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them,” Smith said.