U.S. government agencies were attacked as part of a global campaign that exploited a flaw in the software updates from Austin, Texas-based SolarWinds Corp. The hackers are suspected to be part of a notorious hacking group tied to the Russian government.
The attack included breaches at the U.S. Treasury and Commerce departments and those of other government agencies in an attack that started months ago. The same hacking group is also believed to be behind the recent attack on the cyber-security firm FireEye Inc.
“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain,” FireEye said in a blog post late Sunday, without naming a specific group for the breach.
FireEye described a highly sophisticated attack that exploited updates in widely used software from Austin, Texas-based SolarWinds Corp., which sells technology products to a Who’s Who list of of sensitive targets. These include the State Department, the Centers for Disease Control and Prevention, the Naval Information Warfare Systems Command, the FBI, all five branches of the U.S. military, and 425 corporations out of the Fortune 500, according to the company’s website and government data.
The series of attacks could rank as among the worst in recent memory, though much remains unknown, including the motive and scope of the hacks. The hackers have been monitoring internal email at the U.S. Treasury and Commerce departments, Reuters reported.
All federal civilian agencies were ordered by the U.S. Cybersecurity and Infrastructure Security Agency to review their networks and disconnect or power down SolarWinds’s Orion software products immediately. The emergency directive late Sunday in Washington also asked for an assessment from these agencies by noon eastern time on Monday.
According to FireEye, the hackers hit organizations across the globe — in North America, Europe, Asia and in the Middle East — and in multiple sectors including government, technology, consulting, telecommunications, as well as oil and gas. The company believes that this list will grow.
The hack is so serious it led to a National Security Council meeting at the White House on Saturday, said one of the people familiar with the matter.
U.S. officials have not said much publicly beyond the Commerce Department confirming there was a breach at one of its agencies and that they asked the Cybersecurity and Infrastructure Security Agency and the FBI to investigate.
MacDailyNews Take: Ooh, the FBI. They’ll get to the bottom of it alright.
The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.
In a statement released late Sunday, the Austin, Texas-based company [SolarWinds] said that updates to its monitoring software released between March and June of this year may have been subverted by what it described as a “highly-sophisticated, targeted and manual supply chain attack by a nation state.”
SolarWinds says on its website that its customers include most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States.
“This is a much bigger story than one single agency,” said one of the people familiar with the matter. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”
Hackers broke into the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said… The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident, who spoke on condition of anonymity because they were not allowed to speak to the press.
MacDailyNews Take: Microsoft. Shocker.
Microsoft Security + Government Intelligence = Mother of All Oxymorons.
The full scope of the breach is unclear. The investigation is still its early stages and involves a range of federal agencies, including the FBI, according to three of the people familiar with the matter…
There is some indication that the email compromise at NTIA [National Telecommunications and Information Administration] dates back to this summer, although it was only recently discovered, according to a senior U.S. official.
MacDailyNews Take: This sounds like just the tip of the iceberg.
For more information, read FireEye’s blog post: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor.
The best minds are not in government. If any were, business would steal them away. — Ronald Reagan