WASHINGTON (Reuters) – Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into US government computers last year, five people familiar with the matter told Reuters, marking a new twist on a security breach. cybernetics that US lawmakers labeled a national security emergency.
Two people informed about the case said that FBI investigators recently discovered that the National Finance Center, a federal payroll agency within the United States Department of Agriculture, was among the affected organizations, raising concerns that data from thousands government officials may have been compromised.
The software flaw exploited by the alleged Chinese group is separate from the one the United States accused Russian government agents of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, hijacking the company’s Orion network monitoring software.
Security researchers previously said that a second group of hackers was abusing SolarWinds software at the same time as the alleged Russian hack, but the suspected connection to China and the violation of the United States government were not previously reported.
Reuters was unable to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
A USDA spokesman said in an email, “The USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Commitment.”
In a follow-up statement after the story was published, another USDA spokesman said that the NFC was not hacked and that “there was no Solar Winds-related data breach” at the agency. He gave no further explanation.
China’s Foreign Ministry said that attributing cyber attacks is a “complex technical issue” and that any allegations must be supported by evidence. “China is resolutely opposed and fighting any form of cyber attack and cyber theft,” the agency said in a statement.
SolarWinds said it was aware of a single customer who was compromised by the second set of hackers, but who “found nothing conclusive” to show who was responsible. The company added that attackers did not gain access to their own internal systems and that it released an update to fix the bug in December.
In the case of the only customer it knew, SolarWinds said that hackers only abused their software once inside the customer’s network. SolarWinds did not say how hackers first got in, except to say that it was “in a way that was not related to SolarWinds”.
The FBI declined to comment.
Although the two spying efforts overlap and both target the United States government, they were distinct and distinct operations, according to four people who investigated the attacks and outside experts who reviewed the code used by both sets of hackers.
While the alleged Russian hackers penetrated deeply into the SolarWinds network and hid a “back door” in the Orion software updates that were sent to customers, the suspicious Chinese group exploited a separate bug in the Orion code to help spread to networks that had already compromised, the sources said.
‘EXTREMELY SERIOUS VIOLATION’
Side-by-side missions show how hackers are focusing on the weaknesses of obscure but essential software products, widely used by large corporations and government agencies.
“Apparently, SolarWinds was a high-value target for more than one group,” said Jen Miller-Osborn, deputy director of threat intelligence for Unit 42 at Palo Alto Networks.
Former US information security chief Gregory Touhill said that separate groups of hackers targeting the same software product are not uncommon. “It wouldn’t be the first time that we’ve seen a nation-state actor surfing after someone else, it’s like ‘recruiting’ at NASCAR,” he said, where a race car takes advantage by closely following another’s lead.
The connection between the second set of attacks on SolarWinds customers and suspected Chinese hackers has only been discovered in the past few weeks, according to security analysts investigating with the U.S. government.
Reuters was unable to determine what information the attackers were able to steal from the National Finance Center (NFC) or how deep they buried themselves in their systems. But the potential impact could be “massive,” former US government officials told Reuters.
The NFC is responsible for handling the payroll of several government agencies, including several involved in national security, such as the FBI, Department of State, Department of Homeland Security and Department of the Treasury, former employees said.
The records maintained by the NFC include social security numbers for federal employees, telephone numbers and personal email addresses, as well as bank information. On its website, NFC says it “serves more than 160 diverse agencies, providing payroll services to more than 600,000 federal employees.”
“Depending on what data has been compromised, this could be an extremely serious security breach,” said Tom Warrick, a former senior official in the U.S. Department of Homeland Security. “This can allow opponents to know more about the American authorities, improving their ability to collect information.”
Reporting by Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco and Jack Stubbs in London; Additional reporting by Brenda Goh in Shanghai; Editing by Jonathan Weber and Edward Tobin