The suspected Russian hacking campaign that has torn through the U.S. government zeroed in on more than 40 organizations, Microsoft’s president said Thursday.
The campaign, which U.S. officials believe is the work of Russian intelligence, began at least as early as March, though it was discovered only last week, and has broken into multiple federal agencies.
A multi-agency statement described it this week as “ongoing,” leaving open the question of how many organizations were compromised and how badly.
Microsoft’s statement is the first to provide a detailed estimate of how widespread the hack is. While the company doesn’t have total visibility into the hacking campaign, it has significant insight thanks to governments and corporations’ use of Windows and its antivirus software, Defender.
In a blog post Thursday evening, the company’s president, Brad Smith, said that of the more than 40 organizations it had identified as having been significantly impacted, 80 percent were in the U.S., but there were also victims in Belgium, Canada, Israel, Mexico, Spain, the U.A.E. and the United Kingdom.
While many victims were government agencies, companies that contract with governments or think tanks and information and technology companies were also frequently hit, Microsoft found.
The breadth of the campaign has been an open question because it had the opportunity to infect a staggeringly wide array of victims.
The hackers were able to get inside organizations by first breaking into SolarWinds, a relatively obscure technology company in Austin, Texas, that counts a number of U.S. government agencies and major corporations as customers. In March, the hackers were able to send poisoned software updates to all SolarWinds customers who used versions of its popular Orion platform, giving them a foothold into victims’ systems.
In a Monday filing with the Securities and Exchange Commission, SolarWinds noted that approximately 33,000 customers likely downloaded the malicious software update, though it estimated the actual number of victims as “fewer than 18,000.”
However, experts and U.S. officials had widely believed that Russia would only devote resources to hacking and secretly stealing information from a more targeted list of organizations.
Dmitri Alperovitch, co-founder of the cybersecurity firm CrowdStrike and chair of the Silverado Policy Accelerator, said in a previous interview that an intelligence agency wouldn’t be able to fully exploit that many victims and instead would have to settle on the most valuable targets.
“The good news here, if you want to look for a silver lining, is no intelligence agency has enough human power to go after everyone,” Alperovitch said Monday.
“That’s the good news. The bad news is they had nine months to cherry-pick and go after the best of the best.”
Most of the hacked organizations are still unidentified. Three major targets have admitted to being infected: the U.S. departments of Commerce and Energy and the cybersecurity company FireEye, which was the first to report it. A number of other organizations have been reported as victims but have not come forward to confirm.
SolarWinds had maintained a list of more than 100 prominent government and business customers on its website, though it removed that page Monday. None of those organizations admitted to being hacked, though a number of them said they were still investigating or didn’t respond to requests for comment.
Kevin Collier is a reporter covering cybersecurity, privacy and technology policy for NBC News.
Rich Gardella and Ken Dilanian