South China Morning Post
Advertisement
Advertisement
Cybersecurity
Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
Russia, the prime suspect in the US global cyberespionage campaign, denied involvement. Photo: DPA
WorldUnited States & Canada

SolarWinds breach: how hackers used obscure software maker to attack top US agencies

  • US Homeland Security, thousands of businesses scramble after suspected Russian hack
  • Texas-based tech company SolarWinds was the key stepping stone used by the hackers
Cybersecurity
Bloomberg
Bloomberg
Why you can trust SCMP

At the epicentre of the most sprawling cyberattack in recent memory is a two-decade-old, Austin-Texas-based software maker called SolarWinds. While barely known outside geeky tech circles, its customer list boasts of every branch of the US military and four-fifths of the Fortune 500.

Many of those customers found themselves ensnared in the attack because suspected Russian hackers inserted a vulnerability into a popular SolarWinds’ software product, designed to give users a bird’s-eye view of the varied web of applications that keep their operations humming.

In a filing to the US Securities and Exchange Commission on Monday, SolarWinds said it believed its monitoring products could have been used to compromise the servers of as many as 18,000 of its customers. Those clients include government agencies around the globe and some of the world’s largest corporations.

Sprawling hack of US federal agencies spurs alarm in White House

The company “has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run,” according to the filing. “SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”

The US departments of Treasury and Commerce were hit. Photo: AP

The company said it has sent mitigation steps to relevant customers and is providing an additional “hotfix” update on December 15.

APT 29, a hacking group linked to the Russian government, is suspected of being behind the breach. The Department of Commerce was breached, as were the departments of Homeland Security and Treasury, Reuters reported.

The global hacking campaign also included the December 8 cyberattack on the cybersecurity firm FireEye.

The Russian embassy has denied any involvement in the hack, saying that Russia “does not conduct offensive operations in the cyber domain”.

Governments and companies are now racing to determine how such a security disaster materialised, and how it is that an obscure company founded by two brothers in the 1990s now appears to be at the heart of a potentially major Russian intelligence coup.

Suspected North Korean hackers pose as recruiters to target vaccine firm

According to its website, SolarWinds’ more than 300,000 customers. Outside the US, SolarWinds has picked up contracts for the UK National Health Service, European Parliament and Nato, according to its website.

The company was founded in Tulsa more than two decades ago by brothers David Yonce and Donald Yonce after they heard friends “griping about a long, specific list of frustrations managing their infrastructures,” according to an article from January on the company’s website. “They were part of the same perennial discussion we all share in tech. ‘Why can’t somebody just make a tool that X?!’ The difference was they decided to do something about it.”

The US Department of Homeland Security was targeted. Photo: AFP

SolarWinds provides network monitoring needs for government agencies and private sector companies, marketing itself on its LinkedIn page as “Everybody’s IT”. SolarWinds has taken down its webpage that details its US government and private-sector clients.

Its Orion product is a powerful and important monitoring tool, allowing computer systems administrators to see the status of a company or organisation’s network at a glance. Because Orion provides information on the entire network, it also has privileged access to sensitive parts of the network.

“It gives you visibility across our entire network and allows you to quickly respond when a server or router goes down,” Ben Johnson, chief technology officer of Obsidian Security said. “But if you’re trying to do global monitoring of systems and traffic, that has very trusted access.”

NSA steps out of the shadows to spotlight where China hackers prowl

Hardly a household name, SolarWinds is the number three maker of IT operations software, behind Splunk and International Business Machines (IBM), according to data provided by Gartner. SolarWinds’ other main competitors are Cisco Systems and Microsoft.

Hackers penetrated Orion’s update system, introducing malicious code disguised as legitimate Orion updates, according to blog posts by FireEye and Microsoft. The malicious vulnerability existed in updates between March and June, the company said. The hacking tool embedded within the update even stored stolen data within the Orion software as to evade detection, according to FireEye. The result was that hackers could snoop on a company’s network all while appearing as legitimate traffic.

“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” according to FireEye. “We anticipate there are additional victims in other countries and verticals.”

The breadth of the damage caused by the hacking campaign still unknown. The Russian hackers most likely prioritised the most valuable intelligence targets first, meaning it wouldn’t have had time to penetrate every SolarWinds’ customer. “Once you’re discovered, that’s when you start to pull everything you can,” Johnson said. “It’s going to be a crazy week.”

This article appeared in the South China Morning Post print edition as: Hackers targeted obscure IT firm to hit powerful agencies
Post