A hack impacting software testing firm Codecov is expected to have resulted in hundreds of networks being compromised, prompting fears of a fallout similar to the recent SolarWinds attack.
Codecov has over 29,000 customers including companies such as IBM, Proctor & Gamble, Hewlett Packard Enterprise, Atlassian, Washington Post, and GoDaddy. The potential scale of the attack has led to a federal investigation.
“We are aware of the claims and we are investigating them,” a spokesperson for Atlassian said. “At this moment, we have not found any evidence that we have been impacted nor have identified signs of a compromise.”
According to Reuters’ sources, the hackers “put extra effort” into using Codecov’s tools to compromise makers of other software development programs. If they were successful, we may still be finding out the full extent of the attack months – if not years – down the line.
“We are investigating the reported Codecov incident and have thus far found no modifications of code involving clients or IBM,” an IBM spokesperson said.
The San Francisco office of the FBI is leading the investigation and notified dozens of suspected victims on Monday.
Codecov said the attackers exploited a flaw in a Docker image creation process to make “periodic, unauthorized” changes to the company’s Bash Uploader script. This tampering enabled the hackers to export customer data to an external server.
The perpetrators of the attack are not yet known. In the case of the SolarWinds attack, the hackers were determined to be part of the Russian state-linked group APT29, aka Cozy Bear.
In February 2021, Microsoft President Brad Smith called the SolarWinds attack “the largest and most sophisticated attack the world has ever seen.”
Codecov’s breach is unlikely to be as sizeable as the SolarWinds hack, but it could be some time before we get an idea of the full picture. Large companies are involved; each with tens of thousands of customers in some cases.
One thing is for sure, the situation once again shows the need to have absolute confidence in all external tools being used for software development.
(Photo by krakenimages on Unsplash)
