A vulnerability related to cyber attacks on US government agencies this weekend allowed attackers to break into the IT systems of “numerous” governments and companies, warns one of the companies investigating the breaches.
FireEye, a US cyber security company that was itself a victim of the attack, said an unnamed nation-state had successfully used a vulnerability in a widely used and little-known piece of infrastructure software to break into many corporate and government IT systems. . The attackers then had the freedom to explore and steal data at will, it added.
The warning, pointing to what could become one of the most devastating cyber security challenges ever, came after news on Sunday that multiple US government agencies had been hit by attacks.
The U.S. National Security Council and the Cybersecurity and Infrastructure Security Agency said they were investigating an attack on government networks, allegedly coming from one of two Russian groups responsible for hacking into the Democratic National Committee prior to the 2016 election. Security researchers also say the FBI and other law enforcement agencies are involved.
“The United States government is aware of these reports and we are taking all necessary steps to identify and address potential issues related to this situation,” said John Ullyot, a spokesman for the NSC.
On Sunday evening, FireEye said its own investigation had provided evidence that the same security flaw had led to successful attacks on “government, advisory, technology, telecom and extractive agencies in North America, Europe, Asia and the Middle East.” It said it expected “additional casualties in other countries and verticals.”
The unusually widespread nature of the targets that emerged from the software was used as a channel for the attack. FireEye said the hackers took advantage of a bug in the updates from SolarWinds, an American company whose software is widely used to manage large corporate and government networks. Starting in the spring of this year, the attackers used the updates as a “Trojan horse”, inserting their own malware into many IT systems around the world.
The defect created a back door to IT systems that security researchers have dubbed “Sunburst.” As a sign that not all users of the software have been compromised, FireEye and SolarWinds said that each of the breaches that exploited this vulnerability relied on manual, custom attacks.
The U.S. Trade Department said one of its offices, which Reuters news agency reported to be the National Telecommunications and Information Agency, had been breached and had asked the CISA and the FBI to investigate.
CISA said it “worked closely with our agency partners regarding recently discovered activity on government networks” and “provided technical assistance to affected entities.”
The FBI said it was “appropriately engaged,” but declined to comment further. The Treasury, whose systems were also reportedly breached, referred questions back to the NSC.
The Washington Post reported on Sunday that the attack could be traced back to one of two groups of Russian state-sponsored hacking groups targeting DNC party servers ahead of the 2016 presidential election, a campaign US intelligence officials said was intended to prevent Hillary Clinton would win the race.
The group – known as Cozy Bear or APT29 – recently attempted to steal investigations into the coronavirus vaccine in the US, UK and Canada, authorities in those countries said in the summer.
Government officials did not comment on the possible link between the group and the latest attacks, but the Pentagon warned earlier this month that Russian state-sponsored hackers targeted a vulnerability that allowed them to access government networks.
SolarWinds said in a statement that it was “aware of a possible vulnerability” in updates to some of its products released between March and June this year, and that it was currently involved in an investigation with FireEye, the FBI and other law enforcement agencies.
It added that “this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation-state.”
The company, which has counted many government agencies and corporations among its clients, including all but one The Washington City Times 500, did not say how widespread the problems were, or how many of its clients could be exposed.
Last week, FireEye announced that advanced attackers had breached its internal systems and attacked the data of its government customers, although there was no evidence that government information had been stolen. However, the hackers looted tools that could be used in attacks on other organizations.
#techFT brings you news, commentary, and analysis about the major companies, technologies and issues shaping these fastest growing industries from specialists around the world. Click here to get #techFT in your inbox.