WASHINGTON (Reuters) – Alleged Chinese hackers blasted a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new turn into an expansive cybersecurity violation that U.S. lawmakers have labeled a national security emergency.
Two people reported on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency of the U.S. Department of Agriculture, was among the organizations affected, and feared that the data of thousands of government employees could be compromised.
The software bug exploited by the alleged Chinese group is different from what the United States accused Russian government agents of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, hijacking Orion network control software of the company.
Security investigators have previously said that a second group of hackers was abusing SolarWinds software at the same time as the alleged Russian hacking, but the suspicion of connection with China and the consequence of the US government’s failure is not clear. ‘have previously reported.
Reuters was unable to establish how many organizations were involved in the alleged Chinese operation. Sources, who spoke on condition of anonymity to discuss the ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
An USDA spokesman said in an email: “The USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion code commitment.”
In a follow-up statement after the story was published, a non-USDA spokesman said the NFC was not hacked and that “there has been no breach of solar wind-related data” at the agency. . He provided no further explanations.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical problem” and that the allegations should be supported by evidence. “China is strongly opposed to any form of cyberattacks and thefts against any kind of cyberattack,” it said in a statement.
SolarWinds said it was aware of a single customer who was engaged by the second group of hackers, but that “it had found nothing conclusive” to show who was responsible. The company added that the attackers did not have access to their own internal systems and that it released an update to fix the bug in December.
In the case of the only customer I knew, SolarWinds said hackers only abused their software once on the customer’s network. SolarWinds did not say how hackers came in, except to say it was “in a way that was not related to SolarWinds.”
The FBI declined to comment.
Although the two espionage efforts overlapped and both were directed at the U.S. government, they were separate and clearly different operations, according to four people who have investigated the attacks and external experts who reviewed the code used by both sets of hackers.
While the alleged Russian hackers penetrated deep into the SolarWinds network and hid a “back door” to Orion’s software updates that were later sent to customers, the alleged Chinese group exploited a separate error in the code. of Orion to help spread the word about the networks they had already committed to. said the sources.
“EXTREMELY SERIOUS BREACH”
Parallel missions show how hackers focus on the weaknesses of obscure but essential software products that are widely used by major corporations and government agencies.
“Apparently, SolarWinds was a high-value target for more than one group,” said Jen Miller-Osborn, deputy director of threat intelligence for the Palo Alto Networks Unit42.
Former U.S. head of information security Gregory Touhill said it was not uncommon for separate groups of hackers to target the same software product. “It wouldn’t be the first time we see a national state actor sailing behind someone else, it’s like‘ doing ’at NASCAR,” he said, where a race car has an advantage by closely following the leadership of another.
The connection between SolarWinds’ second group of customer attacks and alleged Chinese hackers was only discovered in recent weeks, according to security analysts investigators alongside the U.S. government.
Reuters was unable to determine what information the National Financial Center (NFC) attackers were able to steal or the depth they buried in their systems. But the potential impact could be “massive,” former U.S. government officials told Reuters.
The NFC is responsible for managing the payroll of various government agencies, including several involved in national security, such as the FBI, the State Department, the Department of Homeland Security and the Treasury Department, former officials said.
NFC records include social security numbers of federal employees, personal phone numbers and email addresses, as well as banking information. On its website, the NFC says it “serves more than 160 various agencies, providing payroll services to more than 600,000 federal employees.”
“Depending on the data that was compromised, this could be an extremely serious security breach,” said Tom Warrick, a senior senior U.S. Department of Homeland Security official. “It could allow adversaries to know more about U.S. officials, improving their ability to gather intelligence.”
Reports by Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco, and Jack Stubbs in London; Additional reports from Brenda Goh in Shanghai; Edited by Jonathan Weber and Edward Tobin