A security breach linked to cyberattacks on US government agencies over the weekend has allowed attackers to break into the computer systems of “many” governments and businesses, one of the groups investigating the breach has warned.
FireEye, a U.S. cybersecurity company that itself fell victim to the attack, said an unnamed nation-state successfully used a vulnerability in widely used and little-known infrastructure software to penetrate many corporate and government computer systems. Attackers then had the freedom to explore and steal data at will, he added.
The warning, indicating what could become one of the most devastating cybersecurity failures on record, came in the wake of Sunday’s announcement that several US government agencies had been attacked.
The United States National Security Council and the Agency for Cybersecurity and Infrastructure Security said they were investigating an attack on government networks, believed to have come from one of the two Russian groups responsible for the Committee’s hack. National Democratic Party ahead of the 2016 election. The FBI and other law enforcement agencies were also implicated, security researchers said.
“The United States government is aware of these reports and we are taking all necessary steps to identify and remedy any problems associated with this situation,” said John Ullyot, spokesperson for the NSC.
On Sunday evening, FireEye said its own investigations had found evidence that the same security breach had led to successful attacks against “government, consultancy, technology, telecommunications and extractive entities in North America, Europe, Asia and the Middle East.” He said he expected “additional casualties in other countries and verticals.”
The unusually widespread nature of the targets resulting from the software was used as a conduit for the attack. FireEye said hackers took advantage of a loophole in updates produced by SolarWinds, a US company whose software is widely used to manage large corporate and government networks. As early as the spring of this year, attackers used the updates as a “Trojan horse”, inserting their own malware into numerous computer systems around the world.
The flaw created a backdoor in computer systems that security researchers dubbed “Sunburst.” But in a sign that not all users of the software were compromised, FireEye and SolarWinds said each of the breaches relied on manual and custom attacks.
The US Department of Commerce said one of its offices, including Reuters news agency reported was the National Telecommunications and Information Agency, had been compromised and had asked the CISA and the FBI to investigate. The Treasury, whose systems were also allegedly violated, referred the requests to the NSC.
CISA said it was “working closely with our partner agencies regarding recently discovered activities on government networks” and “providing technical assistance to affected entities”.
Late Sunday, the agency also released a emergency directive call on federal agencies to examine their networks for any evidence of potential violations and immediately disconnect from affected SolarWinds products.
The FBI said he was “appropriately engaged” but declined to comment further.
The Washington Post reported Sunday that the attack was attributed to one of two groups of Russian state-backed hacking groups that targeted DNC party servers ahead of the 2016 presidential election, a campaign that U.S. intelligence officials thought was aimed at preventing Hillary Clinton from winning the race.
The group – known as Cozy Bear or APT29 – recently attempted to steal coronavirus vaccine research in the US, UK and Canada, authorities in those countries said over the summer.
Government officials have not commented on the group’s potential link to the latest attacks, but the Pentagon warned earlier this month that Russian state-sponsored hackers were targeting a vulnerability that gave them access to government networks.
SolarWinds said in a statement that it is “aware of a potential vulnerability” in updates to some of its products released between March and June of this year, and that it is currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
He added that “this vulnerability is the result of a very sophisticated, targeted and manual supply chain attack by a nation state.”
The company, which lists numerous government agencies and businesses among its clients, including all but one Fortune 500, did not say the extent of the problems or how many of its clients may be exposed.
Last week, FireEye disclosed that sophisticated attackers had breached its internal systems and targeted the data of its government clients, although there is no evidence that government information was stolen. However, hackers looted tools that could be used in attacks against other organizations.
#techFT brings you news, commentary and analysis on the big companies, technologies and issues shaping this fastest moving sectors from specialists based around the world. Click here to get #techFT to your inbox.