According to new reports, a separate group of hackers are thought to have exploited a software flaw in SolarWinds’ products to break into U.S. government computers last year.
Reuters, citing sources familiar with the investigations, reported Tuesday that suspected Chinese hackers used SolarWinds to hack into the National Finance Center, a federal payroll agency within the U.S. Department of Agriculture.
This software flaw is separate from the supply chain attack that the U.S. believes was carried out on the behest of the Russian government, leading to the compromise of up to 18,000 SolarWinds customers including several U.S. agencies.
Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.
Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
Reuters reported conflicting information, citing a USDA spokesman who said customers had been notified about data affected by the compromise, but another spokesman said the National Finance Center was not compromised.
Chinese officials have downplayed these claims, and SolarWinds says it is aware of a single customer that was compromised by the second set of hackers but couldn’t conclusively place blame. SolarWinds added that the attackers did not gain access to its own internal systems and that it released an update to fix the bug in December.
These attacks are separate, and the Russian attack still appears to be much deeper and more concerning. According to Reuter’s sources, the suspected Chinese group exploited a bug in Orion’s code to spread across networks that were already compromised.
Just scratching the surface
This comes as new revelations about the deep compromise of SolarWinds Orion platform come to light. According to the Wall Street Journal, evidence is emerging that attackers had access to SolarWinds’ Office 365 email system since December 2019.
The hackers had accessed at least one of the company’s Office 365 accounts by December 2019, and then leapfrogged to other Office 365 accounts used by the company, [CEO] Sudhakar Ramakrishna said in an interview Tuesday. “Some email accounts were compromised. That led them to compromise other email accounts and as a result our broader [Office] 365 environment was compromised,” he said.
However, it remains possible that hackers had access to the company’s Office 365 accounts even earlier than thought, using that as the launch point to further compromise of SolarWinds’ systems.
Investigators are trying to determine how widespread the damage has been. So far only several dozen victims have been identified, but the attack could have ultimately affected close to 18,000 of the company’s customers.
The internal investigation has involved searching through tens of terabytes of logfiles and other data in an effort to retrace the steps of a hacking operation that went undetected for more than a year, Mr. Ramakrishna said. “We have been evaluating mountains of data,” he said.
Ultimately the response to the incident will end up costing SolarWinds millions of dollars, said Mr. Ramakrishna, who had been pegged as SolarWinds next chief executive when the hack was discovered, but didn’t start at the company until Jan. 4.
“My attitude was to come in and assess first and figure out what we needed to do,” he said. Since taking over, Mr. Ramakrishna has revamped the company’s software development processes and brought in outside cybersecurity experts to help respond to the breach, including Chris Krebs, formerly the Department of Homeland Security’s top cybersecurity official, and Alex Stamos, formerly Facebook’s chief security officer.
This sentiment squares with what cybersecurity experts have been saying since this was discovered: there are likely multiple initial intrusion vectors and the deep compromise of SolarWinds’ products may just be the tip of a very large iceberg. Several cybersecurity companies like FireEye have disclosed that they were attacked, and Microsoft has said the hackers viewed internal source code.
We’re likely to hear about more victims and deeper compromises in the coming weeks and months.
New vulnerabilities discovered in SolarWinds’ Orion
In a blog, cybersecurity company Trustwave said it discovered three vulnerabilities in SolarWinds platforms, including two in the Orion product. All three were labeled severe, with the most dangerous one allowing remote code execution with high privileges.
However, none of the vulnerabilities were exploited as part of the large-scale supply chain attacks.
According to the company, the most severe vulnerability in Orion (CVE-2021-25274) could allow any remote unprivileged user to execute any arbitrary code in the highest privilege.
The other Orion vulnerability (CVE-2021-25275) has to do with credentials being stored in an insecure manner that could allow any local users, despite privileges, to take complete control of the SOLARWINDS_ORION database. This could allow an attacker to steal information or add a new admin-level user to be used inside the Orion products.
Another vulnerability is in the SolarWinds Serv-U FTP for Windows (CVE-2021-25276), which could give any local user the ability to create a file that can define a new Serv-U FTP admin account with full access to the C:\ drive. The account can then be used to log in via FTP and read or replace any file on the drive.
SolarWinds has patched these vulnerabilities, and none were exploited in the wild, according to Trustwave.