The latest espionage attack on the U.S. government is not limited to the Treasury and Commerce departments. Looking at the agencies who use the software that was used as a launchpad for the hacks, the breach could go right to the heart of America’s national security apparatus.
Hackers managed to hide malicious code in a software update for a tool called SolarWinds Orion. It’s typically used to make IT simpler with a single panel for administering various parts of a network. Earlier this year, hackers believed to be sponsored by the Russian government managed to inject malware into Orion updates released between March 2020 and June 2020. According to Reuters, which broke the news Sunday, that allowed the snoops a foothold in customer networks and the ability, at the very least, to spy on emails.
According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs, which is heavily involved in the U.S. response to Covid-19, is another Orion fan and the biggest spender on the tool in recent years. In August, it renewed its Orion license in a $2.8 million order. The National Institutes of Health, the Department of Energy, the DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.
Though it’s not clear whether it uses the Orion tool, the DHS’s own Cybersecurity and Infrastructure Security Agency (CISA) is a SolarWinds customer too, buying $45,000-worth of licenses in 2019. The U.S. Cyber Command also spent over $12,000 on SolarWinds tools in the same year.
SolarWinds, a publicly-listed Austin, Texas-based company with a value of over $6 billion, has its own customer list, though it doesn’t break down which products clients use. That list includes more than 425 of the Fortune 500, all major US telecoms providers, the top five U.S. accounting firms, hundreds of global universities, the NSA and the White House.
The immediate impact will be operational. CISA has recommended government civilian agencies stop using SolarWinds Orion. “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA acting director Brandon Wales. “We urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
The attack will likely have a global impact, according to FireEye, which last week was the first to admit being a victim of this vast espionage campaign. The U.K.’s National Cyber Security Centre (NCSC), a branch of signals intelligence agency GCHQ, said it was monitoring the fallout. It’s also recommending that anyone running the SolarWinds system ensure that they’re installed behind firewalls and disconnected from the internet.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said in a security advisory, in which it asked customers to update to the latest version of Orion.
Infiltrating a major software provider in so-called “supply chain attacks” has proven fruitful for hackers in the past. The infamous NotPetya attacks, in which software sold by Ukrainian accounting program provider MeDoc was “Trojanized,” crippled swathes of companies across the world with ransomware.
Russia, for its part, has denied the attacks on Facebook via its foreign ministry account. “Russia does not conduct offensive operations in the cyber domain,” it claimed.
UPDATE: Reports in Reuters indicated DHS was a victim in the attacks. The DOD declined to comment, though media reports indicate the Pentagon, the National Institutes of Health and the State Department suffered breaches too.
The Department of Veterans Affairs said: “VA is looking into this issue and has not detected any breaches. “However, we are taking SolarWinds offline out of an abundance of caution.”
A spokesperson at the FBI added: “The FBI is aware of today’s reporting and is appropriately engaged, however, we decline to comment further.”