Cybersecurity breach takes in hundreds of thousands of organisations
US issues emergency warning after hackers reported to be Russian weaponise software
The Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability that allowed them to access government networks. Photograph: iStock
The US has issued an emergency warning after it emerged that nation-state hackers had managed for several months to weaponise software used by almost all Fortune 500 companies and multiple federal agencies, as well as hundreds of thousands of organisations globally.
The cybersecurity arm of the US department of Homeland Security ordered all federal agencies to disconnect from SolarWinds’ Orion platform, which is used by IT departments to monitor and manage their networks and systems.
FireEye, a leading cybersecurity firm that said it had fallen victim to the hack last week, said it had already found “numerous” other victims including “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East”.
The cybersecurity firm said it believed the hacking campaign “may have begun as early as spring 2020 and is currently ongoing” after hackers managed to insert malware into SolarWinds software updates.
But both FireEye and SolarWinds suggested that the breaches they had discovered so far relied on manual, customised attacks, suggesting that not all of the 275,000 organisations using SolarWinds worldwide had been affected.
In the US the National Security Council (NSC) said it was “taking all necessary steps to identify and remedy any possible issues related to this situation”.
Britain’s National Cyber Security Centre, a branch of signals intelligence agency GCHQ, said on Monday it was “working closely” with FireEye and international partners on the incident, including a full assessment of any UK impact.
Over the weekend the Commerce department confirmed it had a “breach in one of our bureaus” and said it had asked the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate. CISA said it was “providing technical assistance to affected entities” while the FBI said it was “appropriately engaged”.
There were also reports that the US Treasury had been a victim of the breach, but a spokesperson referred questions to the NSC.
The Washington Post reported on Sunday that the attack had been traced to one of two groups of Russian state-backed hacking groups that targeted DNC party servers ahead of the 2016 presidential election, a campaign US intelligence officials believe was aimed at stopping Hillary Clinton from winning the race.
The group – which is known as Cozy Bear or APT29 – has recently made attempts to steal coronavirus vaccine research in the US, UK and Canada, authorities in those countries said over the summer.
Government officials did not comment on the potential link between the group and the latest attacks but the Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability that allowed them to access government networks.
SolarWinds said in a statement that it was “aware of a potential vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state”.
The company did not say how widespread the issues were, or how many of its customers might be exposed.
Last week FireEye disclosed that sophisticated attackers had breached its internal systems and targeted the data of its government customers, though there was no evidence that any government information was stolen. However, the hackers did loot tools that could be used in attacks against other organisations. – Copyright The Financial Times Limited 2020