The US has issued an emergency warning after discovering that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems.
Hundreds of thousands of organisations around the world use SolarWinds’ Orion platform. The US department of Homeland Security’s cyber security arm ordered all federal agencies to disconnect from the platform, which is used by IT departments to monitor and manage their networks and systems.
FireEye, a leading cyber security company that said it had fallen victim to the hacking campaign last week, said it had already found “numerous” other victims including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East”.
The cyber security company said it believed the hacking campaign “may have begun as early as spring 2020 and is currently ongoing” after hackers managed to insert malware into SolarWinds software updates.
But both FireEye and SolarWinds suggested that the breaches they had discovered so far relied on manual, customised attacks, suggesting that not all of the 275,000 organisations using SolarWinds worldwide had been affected.
In the US, the National Security Council (NSC) said on Monday it was working “to coordinate a swift and effective whole-of-government recovery and response to the recent compromise.”
Jeremy Fleming, head of British signals intelligence agency GCHQ, described the hacks as “serious events” and said his staff were “working at pace” with US partners and the private sector to understand the implications. The National Cyber Security Centre, GCHQ’s defensive cyber arm, is releasing advice for UK organisations which consider themselves at risk.
Over the weekend, the US commerce department confirmed it had a “breach in one of our bureaus” and said it had asked the Cybersecurity and Infrastructure Security Agency (Cisa) and the FBI to investigate. CISA said it was “providing technical assistance to affected entities” while the FBI said it was “appropriately engaged”.
There were also reports that the US Treasury had been a victim of the breach, but a spokesperson referred questions to the NSC.
The Washington Post reported on Sunday that the attack had been traced to Russian state-backed hacking groups
Government officials did not comment on the potential link between the group and the latest attacks but the Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability that allowed them to access government networks.
Experts agree, however, that the attack was certainly an espionage operation. One person familiar with the investigation said the precision with which US government agencies had been targeted, and the intrusive nature of the software that had been hacked, suggested that the motivation had been to gain intelligence from the heart of the US administration.
“This is classic Russia,” another cybersecurity expert said, adding that it showed a “technical sophistication” indicative of Moscow’s foreign spy service, the SVR.
The Kremlin denied Russia was involved. Dmitry Peskov, President Vladimir Putin’s spokesman, said Russia had “nothing to do” with the attack.
“If the Americans couldn’t do anything about it for several months, then they probably shouldn’t make groundless accusations that the Russians did everything,” Mr Peskov said, according to Interfax.
SolarWinds said in a statement that it was “aware of a potential vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state”.
The company did not say how widespread the issues were, or how many of its customers might be exposed.
Last week, FireEye disclosed that sophisticated attackers had breached its internal systems and targeted the data of its government customers, though there was no evidence that any government information was stolen. However, the hackers did loot tools that could be used in attacks against other organisations.
#techFT brings you news, comment and analysis on the big companies, technologies and issues shaping this fastest moving of sectors from specialists based around the world. Click here to get #techFT in your inbox.