Russians hack into software vendor to gain access to US agencies

Treasury, Commerce departments and Fortune 500 corporations attacked by apparent Russian unit through a U.S. software vendor

The Treasury Department was one of at least three government departments hacked by an apparent Russian military unit this year.  (CQ Roll Call file photo)
The Treasury Department was one of at least three government departments hacked by an apparent Russian military unit this year. (CQ Roll Call file photo)
Posted December 14, 2020 at 3:54pm

Russian hackers working for the Kremlin are said to have gained access to top U.S. federal agencies, including the Treasury, Commerce and Homeland Security departments, as well as Fortune 500 companies by breaking into SolarWinds, a provider of network management software to large public and private organizations.

“As we learned in the NotPetya attacks, software supply chain attacks of this nature can have devastating and wide-ranging effects — whether it’s via niche Ukrainian tax software or, as here, network management tools relied upon by some of the world’s largest companies,” Mark Warner, D-Va., the top Democrat on the Senate Intelligence Committee, said in a statement.

Warner was referring to the 2017 attack on Ukraine’s M.E. Doc software, the equivalent of TurboTax or Quicken in the United States, which was hijacked by Russian military hackers who injected a malware called NotPetya into the software. The malware spread on its own from computer to computer and leaped across countries, taking down giant corporations such as the shipping company Maersk. 

On its now deleted customer list page, SolarWinds said its clients included 425 of the Fortune 500 companies, including Microsoft, Lockheed Martin and Ford Motor Co., as well as all “five branches of the U.S. military,” the Pentagon, Justice Department, State Department, and the “Office of the President of the United States.” 

The company also mentioned the Centers for Disease Control and Prevention, the U.S. Air Force and the Federal Reserve among its customers. The company took down its customer page from its website after news of the attack, but a copy was stored on the Internet Archive.

The latest attack would make Austin, Texas-based SolarWinds the newest in a long line of vendors and suppliers to unwittingly become the low-hanging cybersecurity fruit picked off by capable adversaries. 

In 2011, the security firm RSA, which provided multifactor authentication services to companies and government agencies, was attacked, likely by China. The attackers likely made off with the master key, or an algorithm that was used to generate random numbers to verify users’ access to computer networks. 

“What we are seeing now is attackers pivoting from the attacking of a target they actually want access to into attacking somebody that might be more easy to get to access,” said Randy Watkins, chief technology officer of CriticalStart, a Plano, Texas-based security company. 

In June, the U.S. Secret Service issued a warning that attackers were targeting managed service providers, or MSPs, which are information technology vendors that manage a client’s computer network using remote administration tools. 

“Due to the fact a single MSP can service a large number of customers, cyber criminals are specifically targeting these MSPs to conduct their attacks at scale to infect multiple companies through the same vector,” the Secret Service alert said. 

Attackers also have targeted law firms to gain access to their clients, Watkins said. 

One of the world’s top cybersecurity firms, FireEye, was attacked last week and tools it used to detect network weaknesses were stolen, the company said. In that case and in the case of the SolarWinds attack, security experts have said the attacks were carried out by the Russian intelligence service called SVR. The service, also known as APT 29 and Cozy Bear, was behind the 2015 attack on the Democratic National Committee. 

The attack on SolarWinds was so critical that the Cybersecurity and Infrastructure Security Agency issued an urgent bulletin Sunday asking all federal agencies to examine their networks to see if they were using older versions of the SolarWinds software called Orion. If they did, they were told to immediately disconnect the software from their computers and “rebuild the Windows operating system and reinstall the SolarWinds software package.” 

Agencies also were asked to block all traffic from and to the Orion software from outside the agency networks and report by noon on Monday if they found any indicators of compromise. 

In a statement posted on Twitter, SolarWinds said that of the 33,000 customers who used the Orion software, about 18,000 had a vulnerable version of the software that was hacked. The company said it has more than 300,000 customers around the world. 

The news of the cyberattack was first reported by Reuters, which on Monday added that the Department of Homeland Security also was affected. 

The latest attack attributed to the Russian intelligence service raises questions about the U.S. Cyber Command’s so-called Defend Forward mission, according to Jack Goldsmith, a former assistant attorney general in the George W. Bush administration. 

While the Cyber Command has said it has used its tools and techniques to stop Moscow’s election interference in the 2018 midterms and the 2020 election, “the strategy did not prevent the Russia breach,” Goldsmith wrote in the Lawfare blog. 

Goldsmith also cautioned that while attacks on U.S. agencies and companies get headline news coverage, similar U.S. cyberattacks on foreign targets go unmentioned. 

“The public in the United States receives asymmetric information about the cyber-exploitations of our adversaries,” Goldsmith wrote. But they don’t hear much about U.S. breaches of adversaries, he said.  

“Knowledge of what the U.S. government is doing in this realm is necessary to assess, among other things, whether the current posture of U.S. activity in foreign networks is optimal,” he wrote. The United States may have to engage adversaries and agree to some restraints on attacking each other, Goldsmith said.