Russian intelligence service is suspected to be behind a sustained cyber campaign against multiple U.S. government agencies by compromising a piece of software from SolarWinds.
SolarWinds, the Texas-based, NYSE-listed company that provides the widely used network monitoring software Orion Platform, filed a Form 8-K at the SEC, admitting that “a cyberattack that inserted a vulnerability within its Orion monitoring products” has taken place, as a result of “a highly sophisticated, targeted and manual supply chain attack by an outside nation state”.
SolarWinds said it has not “independently verified the identity of the attackers”, sources told The Washington Post that the Russian hacker group, nicknamed APT29 or Cozy Bear, which are part of Russia’s foreign intelligence service, the SVR, are likely to behind the attacks.
According to SolarWinds’s inspection, the breach happened between March and June this year, when hackers managed to acquire superuser access to SolarWinds software updates released during this period. Hackers could then gain privileged access to networks and spy unnoticed. SolarWinds said fewer than 18,000 of its customers have been affected.
According to Bloomberg, compromised American government agencies included Departments of Defense, State, Treasury, Energy, Homeland Security, and Commerce, as well as the National Nuclear Security Administration, though officials told Bloomberg that “the malware was isolated to business networks and didn’t affect national security functions.”
In a latest development, Microsoft said it has also found the malicious software in its environment, though, its spokesman reassured its customers, it has been “isolated and removed”. In a blogpost, Brad Smith, Microsoft’s President, said Microsoft’s Defender Anti-Virus software has identified customers who installed comprised SolarWinds software have “created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.”
More than 80% of Microsoft’s customers that the attackers have compromised, numbered over 40, according to Smith, are located in the US, the rest are in Canada, Mexico, Belgium, Spain, the UK, Israel, and the UAE.
Russia denied the allegations. “We declare responsibly: malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations. Russia does not conduct offensive operations in the cyber domain,” Russian embassy in the US said on Facebook, quoted by TASS, the news agency.