SolarWinds confirmed Wednesday that it used TeamCity software to assist with the development of its software and was investigating the software as part of its investigation. The company said it had yet to confirm a definitive link between JetBrains and the breach and compromise of its own software.
SolarWinds has said that 18,000 customers downloaded its compromised software, but investigators believe Russia was judicious in which of those networks it gained access to, making it difficult to quickly assess the damage.
In the joint announcement, officials said they believed the Russian hackers stopped at 10 federal agencies, but an internal assessment by Amazon, which has been examining hackers’ tools, believe the total number of victims in government and the private sector could be upward of 250 organizations.
Microsoft also announced on Dec. 31 that its network was breached by the same intruders, and confirmed that they viewed the company’s source code. It has not said which products may have been compromised. CrowdStrike, a security firm, confirmed last month that it was targeted, unsuccessfully, through a company that sells software on behalf of Microsoft. Those resellers help set up Microsoft software and often have broad access to clients’ systems, which Russia’s hackers could exploit on untold numbers of Microsoft customers.
The Justice Department did not learn of, and close off, the vulnerability in its Microsoft Outlook email system until Dec. 24, some 10 days after the SolarWinds compromise of government computers became public, officials said.
Marc Raimondi, a Justice Department spokesman, said that about 3 percent of the department’s email accounts that use the specific Microsoft software were compromised by the breach. He said that no classified systems appear to have been affected, but that the episode had been designated as a major one.
“Compromising and introducing a back door into a build environment such as TeamCity is the holy grail of a supply chain hack,” said Dmitri Alperovitch, a founder of CrowdStrike who now runs Silverado Policy Accelerator, referring to the method by which the Russian hackers entered victims’ systems — through their supply chains, or software vendors.