Eric De Grasse
Chief Technology Officer
14 December 2020 (Paris, France) – The US has issued an emergency warning after discovering that “nation-state” hackers hijacked software used by almost all Fortune 500 companies and multiple federal agencies to gain entry to secure IT systems.
Hundreds of thousands of organisations around the world use SolarWinds’ Orion platform. The US department of Homeland Security’s cyber security arm ordered all federal agencies to disconnect from the platform, which is used by IT departments to monitor and manage their networks and systems.
FireEye, a leading cyber security company that said it had fallen victim to the hack last week, said it had already found “numerous” other victims including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East”.
The cyber security company said it believed the hacking campaign “may have begun as early as spring 2020 and is currently ongoing” after hackers managed to insert malware into SolarWinds software updates.
But both FireEye and SolarWinds suggested that the breaches they had discovered so far relied on manual, customised attacks, suggesting that not all of the 275,000 organisations using SolarWinds worldwide have been affected.
In the US, the National Security Council (NSC) said it was “taking all necessary steps to identify and remedy any possible issues related to this situation”.
Britain’s National Cyber Security Centre, a branch of signals intelligence agency GCHQ, said on Monday it was “working closely” with FireEye and international partners on the incident, including a full assessment of any UK impact.
Over the weekend, the US commerce department confirmed it had a “breach in one of our bureaus” and said it had asked the Cybersecurity and Infrastructure Security Agency (Cisa) and the FBI to investigate. CISA said it was “providing technical assistance to affected entities” while the FBI said it was “appropriately engaged”.
There were also reports that the US Treasury had been a victim of the breach, but a spokesperson referred questions to the NSC.
The Washington Post reported on Sunday that the attack had been traced to one of two groups of Russian state-backed hacking groups that targeted Democratic National Committee party servers ahead of the 2016 presidential election, a campaign US intelligence officials believe was aimed at stopping Hillary Clinton from winning the race.
The group — which is known as Cozy Bear or APT29 — has recently made attempts to steal coronavirus vaccine research in the US, UK and Canada, authorities in those countries said over the summer.
Government officials did not comment on the potential link between the group and the latest attacks but the Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability that allowed them to access government networks.
In a statement on Facebook, the Russian embassy in the US said claims of its involvement were “unfounded”, adding: “Russia does not conduct offensive operations in the cyber domain.”
SolarWinds said in a statement that it was “aware of a potential vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state”.
The company did not say how widespread the issues were, or how many of its customers might be exposed.
Last week, FireEye disclosed that sophisticated attackers had breached its internal systems and targeted the data of its government customers, though there was no evidence that any government information was stolen. However, the hackers did loot tools that could be used in attacks against other organizations.