New agency Reuters has identified the victims after cyber attack on SolarWinds by running a coding script released on Friday by researchers at Moscow-based cybersecurity firm Kaspersky to decrypt online web records left behind by the attackers.
The type of web record, known as a CNAME, includes an encoded unique identifier for each victim and shows which of the thousands of “backdoors” available to them the hackers chose to open, said Kaspersky researcher Igor Kuznetsov.
The CNAME records relating to Cox Communications and Pima County were included in a list of technical information published by U.S. cybersecurity firm FireEye, which was the first victim to discover and reveal it had been hacked.
John Bambenek, a security researcher and president of Bambenek Consulting, said he had also used the Kaspersky tool to decode the CNAME records published by FireEye and found they connected to Cox Communications and Pima County.
The records show that the backdoors at Cox Communications and Pima County were activated in June and July this year, the peak of the hacking activity so far identified by investigators.
SolarWinds, which disclosed its role at the centre of the global hack on Monday, said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
Technology companies like Intel, Cisco, VMware, Nvidia and Belkin are part of the SolarWinds hack allegedly orchestrated by Russia-backed cybercriminals.
The suspected Russian hackers installed a malware in the Orion software sold by the IT management company SolarWinds, and accessed sensitive data belonging to several US government agencies, at least one hospital and a university, reports Wall Street Journal.
The attackers also had access to the California Department of State Hospitals and Kent State University.
Microsoft, which was one of the companies to receive the malicious update, said it currently notified more than 40 customers whose networks were further infiltrated by the hackers.
Around 30 of those customers were in the United States, with the remaining victims found in Canada, Mexico, Belgium, Spain, Britain, Israel and the United Arab Emirates. Most worked information technology companies, as well as some think tanks and government organizations.
“It’s certain that the number and location of victims will keep growing,” Microsoft President Brad Smith said in a blog post.
“The installation of this malware created an opportunity for the attackers to follow up and pick and choose from among these customers the organizations they wanted to further attack, which it appears they did in a narrower and more focused fashion.”
Backers who broke into U.S. government agencies also spied on less high-profile organizations, including groups in Britain, a U.S. internet provider and a county government in Arizona, according to web records and a security source.
Networking supplier Cisco said a limited number of machines in some of its labs had been found with malicious software on them, without saying if anything had been taken. A person familiar with the company’s ongoing probe said fewer than 50 were compromised.
In Britain, a small number of organizations were compromised and not in the public sector, a security source said.
The hack, which hijacked network management software made by SolarWinds to compromise a raft of U.S. government agencies, is one of the biggest ever uncovered and has sent security teams around the world scrambling to contain the damage.
The intrusions into networks at Cox Communications and the local government in Pima County, Arizona, show that alongside victims including the U.S. departments of Defence, State, and Homeland Security, the hackers also spied on less high-profile organizations, Reuters reported.
A spokesman for Cox Communications said the company was working “around the clock” with the help of outside security experts to investigate any consequences of the SolarWinds compromise. “The security of the services we provide is a top priority,” he said.
Pima County chief information officer (CIO) Dan Hunt said his team followed U.S. government advice to immediately take SolarWinds software offline after the hack was discovered. He said investigators had not found any evidence of a further breach.
Meanwhile, shares in cyber security companies FireEye, Palo Alto Networks and Crowdstrike Holdings rose on Friday as investors bet that the spate of disclosures from Microsoft Corp and others would boost demand for security technology.