The US has issued an emergency warning after discovering that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems.
The hackers are believed to have gotten into the servers of companies, government departments by tampering with software updates from SolarWinds. The company has government contracts, including with the military and intelligence services, according to Reuters. The attackers are believed to have used a “supply chain attack” method that embeds malicious code into legitimate software updates. The attack focused on the SolarWinds Orion products.
FT reports that the US department of Homeland Security’s cyber security arm ordered all federal agencies to disconnect from the SolarWinds’ Orion platform, which is used by IT departments to monitor and manage their networks and systems. A report on the hack in Reuters says that according to people familiar with the matter the hacks uncovered so far may be the tip of the iceberg.
The US establishment has taken the hack seriously leading it to convene a National Security Council meeting at the White House on Saturday. U.S. Commerce Department confirmed the breach at one of its agencies and said that they asked the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate. The U.S. government has not publicly identified as to who might be behind the hacking but a Reuters report says that people familiar with the investigation say Russia is currently believed to be responsible for the attack.
The Washington Post reported on Sunday that the attack had been traced to one of two groups of Russian state-backed hacking groups that targeted Democratic National Committee party servers ahead of the 2016 presidential elections.
The US National Security Council (NSC) said it was “taking all necessary steps to identify and remedy any possible issues related to this situation”. Britain’s National Cyber Security Centre, a branch of signals intelligence agency GCHQ, said on Monday it was “working closely” with FireEye and international partners on the incident, including a full assessment of any UK impact. If government officials are able to confirm the Russian government as the source of the attack, it would be considered the biggest theft of U.S. government data since a breach in 2014 and 2015, the Times reports.
FireEye, a leading cyber security company which itself had become a victim to the hack last week, said it had already found “numerous” other victims including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East”. FireEye said it believed the hacking campaign “may have begun as early as spring 2020 and is currently ongoing” after hackers managed to insert malware into SolarWinds software updates.
SolarWinds has issued a clarification on the hack and has suggested that the breaches they had discovered so far relied on manual, customised attacks, suggesting that not all of the 275,000 organisations using their platform worldwide have been affected. In a statement it further said it was “aware of a potential vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies. It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state”.
SolarWinds has asked all its customers to upgrade immediately to a newer version of the Orion Platform in order to address what it called ‘a security vulnerability’.
The full scope of the breach is unclear as reports from the US suggest that the investigation is still in its early stages and involves a range of federal agencies, including the FBI. The breach now presents a major challenge to the incoming administration of President-elect Joe Biden as officials have to investigate as to what information was stolen and try to ascertain what it could be used for. Such large scale cyber investigations take months or years to complete and this can pose a huge security challenge to the US administration.
Sources to Reuters say that there is a huge cyber espionage campaign targeting the U.S. government and its interests. Report in NPR show how Russian hackers broke into the NTIA’s office software, Microsoft’s Office 365 and staff emails at the agency were monitored by the hackers for months. Microsoft said in a blog post late Sunday, “We believe this is nation-state activity at significant scale, aimed at both the government and private sector.”
Responding to the allegations of masterminding the cyber attack, the Russian foreign ministry in a statement posted on Facebook described the allegations as another unfounded attempt by the U.S. media to blame Russia for cyberattacks against U.S. agencies.