Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources


WASHINGTON (Reuters) – Suspected Chinese hackers exploited a flaw in software created by SolarWinds Corp to help penetrate U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a broad cybersecurity breach that U.S. lawmakers have labeled a national security emergency.

FILE PHOTO: The SolarWinds Corp. is listed on the New York Stock Exchange (NYSE) on the day the company went public in New York, United States, October 19, 2018. REUTERS / Brendan McDermid

Two people briefed on the case said FBI investigators recently discovered that the National Finance Center, a federal payroll management agency within the US Department of Agriculture, was among the organizations affected, raising concerns that data on thousands of government employees has been compromised.

The software flaw exploited by the alleged Chinese group is separate from the one the United States accused Russian government agents of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking monitoring software of the company’s Orion network.

Security researchers have previously said that a second group of hackers were abusing SolarWinds software along with the alleged Russian hack, but the suspected connection with China and the resulting breach of the US government were not previously reported.

Reuters has not been able to establish the number of organizations compromised by the alleged Chinese operation. The sources, who spoke on condition of anonymity to discuss the ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyber spies.

A USDA spokesperson said in an email, “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion compromise.”

In a follow-up statement after the article’s publication, another USDA spokesperson said that the NFC was not hacked and that “there was no data breach related to Solar Winds ”to the agency. He did not provide any further explanation.

China’s Foreign Ministry said attribution of cyber attacks was a “complex technical issue” and any allegation had to be substantiated by evidence. “China resolutely opposes and combats all forms of cyberattacks and cyber-theft,” he said in a statement.

SolarWinds said it was aware of a single customer that had been compromised by the second group of hackers, but had “found nothing conclusive” to show who was responsible. The company added that the attackers did not have access to its own internal systems and that it released an update to fix the bug in December.

In the case of the only customer it was aware of, SolarWinds said hackers only abused its software once inside the customer’s network. SolarWinds did not say how the hackers first entered except to say it was “in a way unrelated to SolarWinds”.

The FBI declined to comment.

Although the two espionage efforts overlap and both target the U.S. government, they were separate and distinct operations, according to four people who investigated the attacks and outside experts who examined the code used by them. two groups of pirates.

As the alleged Russian hackers penetrated deep into the SolarWinds network and hid a “backdoor” in Orion software updates that were then sent to customers, the alleged Chinese group exploited a separate bug in Orion code. to help spread over already compromised networks, sources said.


The side-by-side missions show how hackers focus on the weaknesses of obscure but essential software products that are widely used by large corporations and government agencies.

“Apparently SolarWinds was a high value target for more than one group,” said Jen Miller-Osborn, deputy director of threat intelligence at the Palo Alto Networks unit42.

Former US chief information security officer Gregory Touhill said separate groups of hackers targeting the same software product were not unusual. “It wouldn’t be the first time we’ve seen an actor from a nation-state ride behind someone else, it’s like a NASCAR ‘draft’,” he said, where a car racer gains an advantage by closely following the direction of another.

The link between the second round of attacks on SolarWinds customers and suspected Chinese hackers has only been discovered in recent weeks, according to security analysts investigating alongside the U.S. government.

Reuters could not determine what information the attackers may have stolen from the National Finance Center (NFC) or how deep they buried themselves in its systems. But the potential impact could be “massive,” former US government officials told Reuters.

FILE PHOTO: The SolarWinds logo is seen outside its headquarters in Austin, Texas, USA December 18, 2020. REUTERS / Sergio Flores

The NFC is responsible for managing the payrolls of several government agencies, including several involved in national security, such as the FBI, the State Department, the Department of Homeland Security and the Treasury Department, said former responsible.

Records held by the NFC include Social Security numbers of federal employees, personal phone numbers and email addresses, and banking information. On its website, the NFC says it “serves over 160 various agencies, providing payroll services to over 600,000 federal employees.”

“Depending on the data compromised, this could constitute an extremely serious security breach,” said Tom Warrick, a former senior official in the US Department of Homeland Security. “This could allow adversaries to learn more about US officials, thus improving their ability to gather intelligence.”

Reporting by Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco and Jack Stubbs in London; Additional reporting by Brenda Goh in Shanghai; Edited by Jonathan Weber and Edward Tobin

Our standards:Thomson Reuters Trust Principles.
Source link