(Reuters) — Hackers who tampered with a software development tool from a company called Codecov used that program to gain restricted access to hundreds of networks belonging to the San Francisco firm’s customers, investigators told Reuters.
Codecov makes software auditing tools that allow developers to see how thoroughly their own code is being tested, a process that can give the tool access to stored credentials for various internal software accounts.
The attackers used automation to rapidly copy those credentials and raid additional resources, the investigators said, expanding the breach beyond the initial disclosure by Codecov on Thursday.
The hackers put extra effort into using Codecov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM, one of the investigators said on condition of anonymity.
The person said both methods would allow the hackers to potentially gain credentials for thousands of other restricted systems.
IBM and other companies said their code had not been altered but did not address whether access credentials to their systems had been taken.
“We are investigating the reported Codecov incident and have thus far found no modifications of code involving clients or IBM,” an IBM spokesperson said.
The FBI’s San Francisco office is investigating the compromises, and dozens of likely victims were notified on Monday. Private security companies were already beginning to respond to assist multiple clients, employees said.
Codecov did not respond to Reuters’ request for comment on Monday.
Security experts involved in the case said the scale of the attack and the skills needed to execute it compared to last year’s SolarWinds attack. The compromise of that company’s widely used network management program allowed hackers inside nine U.S. government agencies and about 100 private companies.
It is unclear who is behind the latest breach or if they are working for a national government, as was the case with SolarWinds.
Others among Codecov’s 19,000 customers, including big tech services provider Hewlett Packard Enterprise, said they were still trying to determine if they or their customers had been affected.
“HPE has a dedicated team of professionals investigating this matter, and customers should rest assured we will keep them informed of any impacts and necessary remedies as soon as we know more,” said HPE spokesperson Adam Bauer.
Even Codecov users who had seen no evidence of hacking were taking the breach seriously, a corporate cybersecurity official told Reuters. He said his company was busy resetting its credentials and that his counterparts elsewhere were doing the same, as Codecov recommended.
Codecov earlier said hackers began tampering with its software on January 31. The hack was only detected earlier this month, when a customer raised concerns.
Codecov’s website says its customers include consumer goods conglomerate Procter & Gamble, web hosting firm GoDaddy, the Washington Post, and Australian software firm Atlassian. Atlassian said it had not yet seen any impact or signs of a compromise.
The Department of Homeland Security’s cybersecurity arm and the FBI declined to comment.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact. Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:
- up-to-date information on the subjects of interest to you
- our newsletters
- gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
- networking features, and more