The US government confirmed Wednesday that a massive hack had occurred in at least two federal departments, including the US Treasury and the Department of Commerce.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” said a joint statement from the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI).
“The FBI is investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors,” the statement said.
Russian hackers are believed to be behind the attack. Hackers were able to monitor internal email traffic at the Treasury and Department of Commerce. Reuters news agency reported earlier this week that people involved with the investigation were concerned that what the hacks have already revealed may just be the tip of the iceberg.
Looking into SolarWinds
Hackers were able to access federal agencies through holes in software from US-based company SolarWinds. The company offered updates to its Orion software in March that unknowingly included hidden malicious code that could give hackers the same views as in-house IT crews. Some 18,000 SolarWinds’ clients are thought to have downloaded the compromised updates.
SolarWinds works with several large multinationals, including many companies on the Fortune 500 list, such as McDonald’s and federal government agencies, including the White House. On Sunday, the company began alerting 33,000 of its customers that an “outside nation state” found a back door into the Orion program.
The Department of Homeland Security’s cybersecurity unit said this week that all federal agencies should remove the software.
Shady stock sales?
One of SolarWinds’ customers, cybersecurity firm FireEye, was the first to discover the hack and reported it on December 8. Just one day before, SolarWinds appointed the replacement for its outgoing CEO Kevin Thompson, current PulseSecure CEO Sudhakar Ramakrishna, according to a financial filing.
Also on that Monday, SolarWinds’ two largest investors, which control a majority stake in the company, sold more than $280 million in stock to a Canadian public pension fund. The investors, private equity firms Silver Lake and Thoma Bravo, said in a joint statement that they “were not aware of this potential cyberattack” when they sold the stock.
SolarWinds disclosed the breach six days later.
‘Unimaginable, unfortunate situation’
Rob Oliver, a research analyst who has followed SolarWinds for years, said: “This is an unimaginable, unfortunate situation. SolarWinds products have always been reliable. Its value proposition has been around reliability.”
FireEye said Wednesday that it identified a “killswitch” that prevents malware from operating. While that disables the original back door, it will not prevent hackers from accessing systems where they created different means of entry.
FireEye confirmed other infections across North America, Europe, Asia and the Middle East. Targets have included governments, health care, telecommunications and oil and gas industries. It said it has been informing affected organizations of the situation.
kbd/sms (AP, Reuters)