Hackers used obscure Texas IT vendor to attack US agencies

Following the disclosure of a global cyberespionage campaign that penetrated multiple US government agencies and private organisations, governments and major corporations worldwide are scrambling to see if they, too, were victims. — AP

At the epicenter of the most sprawling cyberattack in recent memory is a two-decade-old, Austin, Texas-based software maker called SolarWinds Corp. While barely known outside geeky tech circles, its customer list boasts of every branch of the US military and four-fifths of the Fortune 500.

Many of those customers found themselves ensnared in the attack because suspected Russian hackers inserted a vulnerability into a popular SolarWinds’ software product, designed to give users a bird’s eye view of the varied web of applications that keep their operations humming.

In a filing to the US Securities and Exchange Commission on Monday, SolarWinds said it believed its monitoring products could have been used to compromise the servers of as many as 18,000 of its customers. Those clients include government agencies around the globe and some of the world’s largest corporations.

The company “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run”, according to the filing. “SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”

SolarWinds fell 17% on Monday and closed at US$19.62 (RM79.73). The company said it has sent mitigation steps to relevant customers and is providing an additional “hotfix” update Dec 15.

APT 29, a hacking group linked to the Russian government, is suspected of being behind the breach. The Department of Commerce was breached, as were the departments of Homeland Security and Treasury, Reuters reported.

The global hacking campaign also included the Dec 8 cyberattack on the cybersecurity firm FireEye Inc.

The Russian Embassy has denied any involvement in the hack, saying that Russia “does not conduct offensive operations in the cyber domain”.

Governments and companies are now racing to determine how such a security disaster materialised, and how it is that an obscure company founded by two brothers in the 1990s now appears to be at the heart of a potentially major Russian intelligence coup.

According to its website, SolarWinds has more than 300,000 customers. Outside the US, SolarWinds has picked up contracts for the UK National Health Service, European Parliament and NATO, according to its website.

The company was founded in Tulsa more than two decades ago by brothers David Yonce and Donald Yonce after they heard friends “griping about a long, specific list of frustrations managing their infrastructures”, according to an article from January on the company’s website. “They were part of the same perennial discussion we all share in tech. ‘Why can’t somebody just make a tool that X?!’ The difference was they decided to do something about it.”

SolarWinds provides network monitoring needs for government agencies and private sector companies, marketing itself on its LinkedIn page as “Everybody’s IT”. SolarWinds has taken down its webpage that details its US government and private-sector clients.

Its Orion product is a powerful and important monitoring tool, allowing computer systems administrators to see the status of a company or organisation’s network at a glance. Because Orion provides information on the entire network, it also has privileged access to sensitive parts of the network.

“It gives you visibility across our entire network and allows you to quickly respond when a server or router goes down,” said Ben Johnson, chief technology officer of Obsidian Security. “But if you’re trying to do global monitoring of systems and traffic, that has very trusted access.”

Hardly a household name, SolarWinds is the number three maker of IT operations software, behind Splunk Inc and International Business Machines Corp, according to data provided by Gartner Inc. SolarWinds’ other main competitors are Cisco Systems Inc and Microsoft.

Hackers penetrated Orion’s update system, introducing malicious code disguised as legitimate Orion updates, according to blog posts by FireEye and Microsoft Corp. The malicious vulnerability existed in updates between March and June, the company said. The hacking tool embedded within the update even stored stolen data within the Orion software as to evade detection, according to FireEye. The result was that hackers could snoop on a company’s network all while appearing as legitimate traffic.

As of mid-day Monday, the malicious update was still available for download on SolarWind’s website, according to Karim Hijazi, founder and chief executive of Prevailion Inc, a Maryland-based cybersecurity firm. Hijazi said his team compared the available download with security alerts identifying the tampered update, and it’s an exact match.

That appears to contradict a statement the company made earlier in the day that Orion products downloaded after June didn’t contain the vulnerability. When asked about continued access to the malicious file, SolarWinds denied the claim and referred a Bloomberg reporter back to the company’s statement to the SEC. Following the email exchange, the web page that previously hosted the malicious software update was taken down, Prevailion said. It now reads, “Not found.”

The number of victims is likely to climb as companies and governments comb their computer systems for traces of the hackers.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” according to FireEye. “We anticipate there are additional victims in other countries and verticals.”

The breadth of the damage caused by the hacking campaign is still unknown. The Russian hackers most likely prioritised the most valuable intelligence targets first, meaning it wouldn’t have had time to penetrate every SolarWinds customer. “Once you’re discovered, that’s when you start to pull everything you can,” Johnson said. “It’s going to be a crazy week.” – Bloomberg

Article type: metered
User Type: anonymous web
User Status:
Campaign ID: 1
Cxense type: free
User access status: 3
Join our Telegram channel to get our Evening Alerts and breaking news highlights

Next In Tech News

US Army private who plotted to kill members of his own unit overseas abandons Internet fantasy chat defence
A US$2 trillion free-fall rattles crypto to the core
US abortion reversal spurs online data fears
Twitter embraces blog mode with a new long-form text option
The crypto-themed restaurant that no longer accepts crypto
Chicago network plans to remodel computing, medicine, cybersecurity
Ordering take-out was a life-saver for this woman
The ugly truth about beauty filters
TikTok promises to stop hidden ads after consumer groups�complain
As rumours of Apple VR�headset swirl, Meta showcases new VR�hardware

Others Also Read