Security experts expect many More companies say they were hacked by Russian intelligence agents who stole executives' emails after Microsoft and Hewlett-Packard Enterprise made revelations last week.
Microsoft said late Thursday that it had found additional victims and was in the process of notifying them. A spokesman did not want to say how many there were. But three experts inside and outside the government said the attack was deeper and broader than previous revelations show.
Two said more than 10 companies, perhaps many more, are expected to come forward. The experts asked not to be named in order to maintain contact with the victims.
The Securities and Exchange Commission last year tightened rules requiring companies to inform shareholders about computer intrusions This could have a significant impact on the company's results. That helped drive the recent revelations.
Microsoft, HPE and the experts said that the Russian foreign intelligence service SVR has been working in the attacked companies for months. It was not clear whether the Russians had repeatedly used the same technique to gain access to the companies' systems.
The SVR team, which Microsoft calls Midnight Blizzard, is considered one of the most competent hacking forces in the world. Microsoft said the Russian agency gained a foothold on its network by repeatedly trying the same password on test accounts until it found a match.
Although this is a rudimentary attack, the company says it is harder to detect because login attempts were made from different locations. Once inside, the hackers created new accounts and new apps with more internal powers.
The group, also known as Cozy Bear, recently made international headlines for hacking into the software Provider SolarWinds. It changed that company's code and gained access when federal agencies that were SolarWinds customers installed it.
“What sets this group apart is its remarkable combination of discretion, patience and unwavering persistence, which sets it apart from other cyber threat actors who are also funded by and acting on behalf of nation states,” said Aric Ward, a former White House threat analyst . “Their inconspicuousness demonstrates a clandestine and skillful approach and makes it clear that their actions continue even as they remain beyond public scrutiny.”
The Microsoft and HPE breaches are particularly concerning because so many other companies and governments rely on them for cloud services, including email. It is not yet known whether the hackers were able to use their access to Microsoft's systems to carry out attacks on other companies.
Eric Goldstein, the top cybersecurity official at the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, said they were working to learn more about the attack and its potential impact.
“As noted in Microsoft’s announcement, we are not aware of any impact to Microsoft customer environments or products at this time,” Goldstein said.
Alex Stamos, a security manager at rival SentinelOne, said Microsoft's recent blog post indicated that the company used a detection technique that only works on Microsoft-hosted cloud services. Stamos wrote on LinkedIn that this suggests multiple targets were hit by an attack method that works against Microsoft's access authorization system, now called Entra and formerly known as Azure Active Directory.
Microsoft said the SVR searched the emails of its cybersecurity experts to find out what they knew about the Russian organization, which may reflect the company's effectiveness in deterring cyberattacks from Ukraine since the invasion two years ago.
“Their goal is to break into systems of interest to them, but given Microsoft's role in the world and the help they have provided to Ukraine, they will be a target,” said George Barnes, recently appointed deputy director The National Security Agency retired from Microsoft.
Microsoft executives' emails are also likely to contain conversations with government officials that would be useful to foreign intelligence agencies.