Hackers who exploited an update to the ubiquitous SolarWinds Orion network management software accessed the systems of Pima County, Arizona, and Cox Communications, a major cable internet provider.
The victims are just two of as many as 18,000 SolarWinds customers around the globe who installed the malicious update. The hack, which was first reported by cybersecurity firm FireEye, itself a SolarWinds customer, affected several U.S. government agencies, including the departments of Defense, State, Homeland Security, Energy, Treasury, and Commerce.
The hack is believed to be the biggest ever uncovered, prompting the U.S. government to assemble a multi-department task force to respond to the threat.
A spokesman for Cox Communications said the company was working “around the clock” with the help of outside security experts to investigate any consequences of the compromise.
Pima County Chief Information Officer Dan Hunt told said his team had followed government advice to take SolarWinds software offline after the hack was discovered. He said investigators had not found any evidence of a further breach.
The two victims were first flagged in a post by Kaspersky Labs, which used a script to decode web records left behind by the hackers. Kaspersky did not identify the firms out of caution, but Reuters used the script to decode the names.
The type of web record used, known as a CNAME, includes an encoded unique identifier for each victim and shows which of the thousands of “backdoors” available to them the hackers chose to open, said Kaspersky researcher Igor Kuznetsov.
“Most of the time these backdoors are just sleeping,” he said. “But this is when the real hack begins.”
John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decode the CNAME records published by FireEye and found they connected to Cox Communications and Pima County.
The records show that the backdoors at Cox Communications and Pima County were activated in June and July this year, the peak of the hacking activity so far identified by investigators.
The Cybersecurity and Infrastructure Security Agency (CISA) said Thursday that the hacking campaign that targeted the federal government is larger than what was previously known.
The hackers gained backdoor access in more ways than through the SolarWinds software.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” CISA said in a statement.
Microsoft said Thursday that it found the malicious software in its system. The company said around 30 of the affected customers were in the United States.
“It’s certain that the number and location of victims will keep growing,” Microsoft President Brad Smith said in a blog post.
Jack Phillips, Zachary Stieber, and Reuters contributed to this report.