SolarWinds Orion: More US government agencies hacked

Published
Image source, Getty Images

A growing number of US government agencies have been targeted in a sophisticated hack.

The US Treasury and departments of homeland security, state, defence and commerce were attacked, reports say.

SolarWinds Orion, the computer network tool at the source of the breach, said 18,000 of its 300,000 customers might have been affected.

Many suspect the Russian government is responsible for the attack, but it denied the claims as "baseless".

The BBC is not responsible for the content of external sites.View original tweet on Twitter

It is unclear what information has been stolen or exposed in the hack, but the attackers have been monitoring networks since March and were active as recently as Sunday, the Washington Post reports.

The attacks were first revealed by Reuters, identifying breaches at the Treasury and homeland security, the department which manages cyber-security for the US government.

Parts of the defence department were also breached, the New York Times reports, while the Washington Post says that the state department and National Institutes of Health were hacked.

The UK's intelligence agency GCHQ is currently monitoring the situation and has described the compromises as "serious events".

A number of UK government departments and other organisations use SolarWinds but its unclear if they use Orion.

The list of identified victims is expected to grow as more information about the incident emerges.

Media caption,
Obama's former director of cyber security warns Radio 4's Today Russia election hacking is like 'playbook'

What happened?

SolarWinds Orion's software allows IT staff to remotely access computers on corporate networks.

In a so-called "supply-chain attack", hackers gained access to SolarWinds Orion and then had access to all of its customers' networks.

FireEye, a company that provides US government cyber-security, identified the large-scale campaign after it fell victim to the hackers in a separate attack.

The actors manipulated SolarWinds Orion's software updates to include malware which, once installed, allowed the hackers to monitor its customers' systems, Fireye said.

"We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack," SolarWinds said in a statement on its website.

It urged all users of its Orion platform to update their software immediately for security.

FireEye hack

FireEye's own hacking tools, which are used to carry out fake attacks on its customers, were stolen by the same actors, it said.

By mimicking the behaviour of hackers, it uses these programmes to investigate the security of different organisations and offer advice on how to protect vulnerabilities.

Since the discovery, there is evidence that these tools have already been used in 19 countries including the US, UK and Ireland, Raj Samani, chief scientist at leading cyber-security firm McAfee said.

The BBC is not responsible for the content of external sites.View original tweet on Twitter

FireEye has now released more than 300 countermeasures to detect the use of its stolen tools and to minimise the potential impact if they are used.

When the experts investigating a cyber-attack downgrade their estimate of the number of people affected, it's normally a good thing.

So when SolarWinds says the number of organisations that could have been spied upon through its products is not the 300,000 initially feared, you'd think it would be cause for slight consolation.

Unfortunately, this is almost completely irrelevant. Like all cyber-attacks, it's not about the quantity of victims but their quality.

You don't get much higher quality targets than US government departments.

The other key number in this hack is eight.

That's how many months it's thought the hackers had access to SolarWinds and could have started to snoop, poke around or steal sensitive material from their customers.

The thing we don't know, and may never know, is what the quality of the information stolen is.

It's unlikely that top-level government communications would have been breached - those are likely to be heavily encrypted and sent on separate systems.

But like any offices, sometimes important operational documents, snippets of information or even the digital keys to other parts of a business are left lying around in places they shouldn't be.

The investigation into this hack will be months long and its consequences could take years to be realised.