In one of the most audacious hacks in recent memory, U.S. government agencies were attacked as part of a global campaign that inserted a vulnerability in the software updates of a U.S. company. Hackers tied to the Russian government are suspected in the campaign, which also included a recent breach on the cyber-security firm FireEye Inc.
The Department of Homeland Security was among the agencies breached, in addition to the Treasury and Commerce departments, Reuters reported.
The highly sophisticated attack targeted updates in widely used software from Austin, Texas-based SolarWinds Corp., which sells technology products to a Who’s Who list of sensitive targets. These include the State Department, the Centers for Disease Control and Prevention, the Naval Information Warfare Systems Command, the FBI, all five branches of the U.S. military, and 425 corporations out of the Fortune 500, according to the company’s website and government data.
SolarWinds said in an SEC filing Monday that as many as 18,000 customers may have been exposed to the cyber-attack, in which hackers “inserted a vulnerability within its Orion monitoring products.” The company said it alerted relevant customers and provided mitigation steps, including a “hotfix” update. A second update is expected to be released on Dec. 15, the company said.https://buy.tinypass.com/checkout/template/cacheableShow?aid=IHFDsFInrJ&templateId=OTG03N7QM6VQ&offerId=fakeOfferId&experienceId=EX6ZVLP2LDL4&iframeId=offer_1df5c8fa8b968e53fd8a-0&displayMode=inline&widget=template
“SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited,” according to the filing. Orion products represented 45% of the company’s revenue during the first nine months of year.
The series of attacks could rank as among the worst in recent memory, though much remains unknown, including the motive and scope of the hacks.
“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain,” FireEye said in a blog post late Sunday, without naming a specific group for the breach.
FireEye told clients on Sunday that it was aware of at least 25 entities hit by the attack, according to people briefed by the company.
John Ullyot, a spokesman for the National Security Council, said in a statement, “The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any possible issues related to this situation.”
All federal civilian agencies were ordered by the U.S. Cybersecurity and Infrastructure Security Agency to review their networks and disconnect or power down SolarWinds’s Orion software products immediately. The emergency directive late Sunday in Washington also asked for an assessment from these agencies by noon eastern time on Monday.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”
The U.K. National Cyber Security Centre is also examining possible threats from the campaign. “The NCSC is working closely with FireEye and international partners on this incident,” said a spokesperson in an emailed statement. “Investigations are ongoing, and we are working extensively with partners and stakeholders to assess any U.K. impact.”
Kremlin spokesman Dmitry Peskov rejected allegations of Russian involvement, saying, “If there were attacks over a period of months and the Americans couldn’t do anything about it, there’s no need to immediately blame the Russians for everything without basis.”Paid PostWhere Deep Capital Markets and Top Talent Converge in APACBrand Hong Kong
According to FireEye, the hackers hit organizations across the globe — in North America, Europe, Asia and in the Middle East — and in multiple sectors including government, technology, consulting, telecommunications, as well as oil and gas. The company believes that this list will grow.
“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” FireEye said in the blog post. “Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020.”
All this suggests that as the U.S. government was focused over the last several months on detecting and countering possible Russian interference in the U.S. presidential election — an effort that was largely viewed as successful — suspected Russian hackers were quietly working their way into the computer networks of American government agencies and sensitive corporate victims undetected.
“If it is cyber espionage, it is one of the most effective cyber espionage operations we’ve seen in quite some time,” said John Hultquist, a senior director at FireEye.
SolarWinds issued a statement appearing to confirm that the software update system for one of its products had been used to send malware to customers.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” SolarWinds President and Chief Executive Officer Kevin Thompson said in the statement Sunday evening.
Thompson said his company was working with the FBI as well as others on the investigation. The FBI said it’s “appropriately engaged,” declining further comment.
The hackers appear to have concentrated on the most attractive and sensitive targets first, so that the harm suffered by various victims may vary widely, according to two people briefed on the probe, who asked not to be identified because the information isn’t public.
The quickly broadening investigation broke into public view on Dec. 8 when FireEye announced that it had been breached in a highly sophisticated attack that it attributed to hackers backed by U.S. adversaries.