WASHINGTON (Reuters) – Suspected Chinese hackers took advantage of a flaw in software created by SolarWinds Corp to help break into US government computers last year, five people familiar with the case told Reuters, setting a new turn. indicated in a comprehensive cybersecurity breach that US lawmakers have labeled. a national security emergency.
Two people briefed on the matter said FBI investigators recently discovered that the National Finance Center, a federal payroll administration within the U.S. Department of Agriculture, was one of the affected organizations, raising fears that data on thousands of government employees may be in endangered.
The software flaw exploited by the alleged Chinese group is unrelated to the one that the United States has accused Russian government officials of exploiting up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.
Security researchers have previously said that a second group of hackers exploited SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and the subsequent breach against the US government have not been previously reported.
Reuters could not determine how many organizations had been compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computing infrastructure and hacking tools previously deployed by state-backed Chinese cyber spies.
A USDA spokesperson said in an email, “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Compromise.”
In a follow-up statement after the story was published, another USDA spokesperson said the NFC had not been hacked and that “there was no data breach related to Solar Winds” at the agency. He gave no further explanation.
China’s Foreign Ministry said that attributing cyber attacks is a “complex technical issue” and that all allegations must be backed up with evidence. “China resolutely opposes any form of cyber attacks and cyber theft,” he said in a statement.
SolarWinds said it was aware of a single customer compromised by the second batch of hackers, but found “nothing convincing” to reveal who was responsible. The company added that the attackers were denied access to its own internal systems and had released an update in December to fix the bug.
In the case of the only customer who knew about it, SolarWinds said the hackers only exploited the software once within the customer’s network. SolarWinds did not say how the hackers first got in, other than to say it was “in a way unrelated to SolarWinds.”
The FBI declined to comment.
While the two espionage efforts overlap and both targeted the U.S. government, they were separate and distinctly different operations, according to four people who investigated the attacks and outside experts who reviewed the code used by both groups of hackers.
While the alleged Russian hackers penetrated deep into the SolarWinds network and hid a ‘back door’ in Orion software updates that were then sent to customers, the alleged Chinese group took advantage of a separate bug in Orion’s code to spread about networks they’d already compromised, the sources said.
‘EXTREMELY SERIOUS INFRINGEMENT’
The side-by-side missions show how hackers focus on weaknesses in obscure but essential software products widely used by large corporations and government agencies.
“Apparently, SolarWinds was a valuable target for more than one group,” said Jen Miller-Osborn, deputy director of Threat Intelligence at Unit42 of Palo Alto Networks.
Former US Chief Information Security Officer Gregory Touhill said separate groups of hackers targeting the same software product are not uncommon. “It wouldn’t be the first time we see a nation-state actor coming in behind someone else, it’s like ‘drafting’ in NASCAR,” he said, where one race car gets an advantage by directing another closely. to follow.
The link between the second wave of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, according to security analysts who were investigating with the US government.
Reuters could not determine what information the attackers could steal from the National Finance Center (NFC) or how deeply they had burrowed into its systems. But the potential impact could be “huge,” former US government officials told Reuters.
The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department, the former officials said.
The NFC’s records include federal employees’ social security numbers, phone numbers, and personal email addresses, as well as bank information. On its website, the NFC says it “serves more than 160 different agencies and provides payroll to more than 600,000 federal employees.”
“Depending on the data compromised, this could be a very serious security breach,” said Tom Warrick, a former senior official in the US Department of Homeland Security. “It could enable opponents to learn about US officials, improving their intelligence-gathering ability.”
Reporting by Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco and Jack Stubbs in London; Additional reporting by Brenda Goh in Shanghai; Edited by Jonathan Weber and Edward Tobin