WASHINGTON (Reuters) – Suspected Chinese hackers exploited a bug in software developed by SolarWinds Corp to help break into US government computers last year, five people familiar with the issue told Reuters, marking a new twist in a widespread cyber security breach that US lawmakers have labeled. a national security emergency.
Two people informed about the case said that FBI investigators recently discovered that the National Finance Center, a federal pay agency within the U.S. Department of Agriculture, is among the affected organizations, raising fears that data on thousands of government employees would could have been compromised.
The software failure exploited by the suspected Chinese group is separate from the one that the US accused Russian government agencies of compromising up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the software of the monitoring company Orion network.
Security researchers previously said a second group of hackers were abusing SolarWinds software at the same time as the alleged Russian hack, but the suspected connection to China and the aftermath of the US government violation were not previously reported.
Reuters was unable to determine how many organizations were compromised by the alleged Chinese operation. Sources, who spoke on condition of anonymity to discuss the ongoing investigations, said the attackers used the computer infrastructure and hacking tools previously used by state-backed Chinese cyberespies.
A USDA spokesman said in an email, “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion code compromise.”
In a statement after the story was published, another USDA spokesman said the NFC had not been hacked and that “there was no violation of solar wind data” at the agency. He offered no further explanation.
The Chinese Foreign Ministry said the attribution of cyber attacks is a “complex technical issue” and any allegations should be substantiated. “China strongly opposes and combats all forms of cyber attacks and cyber thefts,” it said in a statement.
SolarWinds said it was aware of a single customer who was compromised by the second set of hackers, but that it “found nothing conclusive” to show who was responsible. The company added that the attackers do not have access to its own internal systems and that it released an update to fix the error in December.
In the case of the only customer it knew, SolarWinds said hackers abused the software only once in the customer’s network. SolarWinds did not say how the hackers first entered, except that it said “it was in a way unrelated to SolarWinds.”
The FBI declined to comment.
Although the two espionage efforts overlap and both targeted the US government, they were separate and distinctly different operations, according to four people who investigated the attacks and external experts who analyzed the code used by both sets of hackers.
While the alleged Russian hackers penetrated deep into the SolarWinds network and hid a “back door” in Orion software updates, which were then sent to customers, the suspicious Chinese group exploited a separate error in the Orion code to help spread the word. in networks they have already compromised, sources said.
“EXTREMELY SERIOUS VIOLATION”
The accompanying missions show how hackers focus on the weaknesses of obscure but essential software products, which are widely used by major corporations and government agencies.
“SolarWinds appears to have been a high-value target for more than one group,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks42.
Former US information security officer Gregory Touhill said separate groups of hackers targeting the same software are not uncommon. “It wouldn’t be the first time we see a national state actor sailing behind someone else, it’s like being ‘projected’ into NASCAR,” he said, where a race car gains an advantage by closely following someone else’s driving.
The connection between the second set of attacks on SolarWinds customers and alleged Chinese hackers has only been discovered in recent weeks, according to security investigators investigating with the US government.
Reuters could not determine what information the National Finance Center (NFC) attackers could steal or how deep they entered its systems. But the potential impact could be “massive,” former US government officials told Reuters.
The NFC is responsible for managing the payroll of several government agencies, including several involved in national security, such as the FBI, the State Department, the Department of Homeland Security and the Treasury Department, former officials said.
NFC records include federal employee social security numbers, personal phone numbers and email addresses, and banking information. On its website, NFC says it “provides services to more than 160 different agencies, providing payroll services to more than 600,000 federal employees.”
“Depending on what data has been compromised, it could be an extremely serious security breach,” said Tom Warrick, a senior official with the US Department of Homeland Security. “It could allow opponents to learn more about US officials, improving their ability to gather information.”
Reporting by Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco and Jack Stubbs in London; Additional reporting by Brenda Goh in Shanghai; Edited by Jonathan Weber and Edward Tobin