WASHINGTON (Reuters) – Texas-based SolarWinds Corp said the sprawling breach stemming from the compromise of its flagship software product has cost the company at least $18 million in the first three months of 2021.
In preliminary results made public on Tuesday, the company said it spent between $18 million and $19 million in the first quarter of 2021 to investigate and remediate what it described as “the Cyber Incident.”
SolarWinds has been working since December to deal with the fallout of a series of intrusions blamed on Russian hackers across the U.S. government and scores of private companies. In many cases, the hackers compromised their targets by piggybacking on a subverted version of SolarWinds Orion, a widely used network management tool.
SolarWinds has hired cybersecurity company CrowdStrike Holdings Inc and professional services firm KPMG to help it investigate the intrusions. The company said its costs were likely to grow.
“We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” it said in a note.
Solarwinds shares gained 2.1% in Tuesday trading on the New York Stock Exchange.
Reporting by Raphael Satter; Editing by Dan Grebler
Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.
Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.
Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.
Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. The company added that the attackers did not gain access to its own internal systems and that it had released an update to fix the exploited software bug in December.
A USDA spokesman acknowledged a data breach had occurred but declined further comment. The FBI declined to comment.
Although the two espionage efforts overlap and both targeted the U.S. government, they were separate and distinctly different operations, according to four people who have investigated the attacks and outside experts who reviewed the code used by both sets of hackers.
While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said.
‘EXTREMELY SERIOUS BREACH’
The side-by-side missions show how hackers are focusing on weaknesses in obscure but essential software products that are widely used by major corporations and government agencies.
“Apparently SolarWinds was a high value target for more than one group,” said Jen Miller-Osborn, the deputy director of threat intelligence at Palo Alto Networks’ Unit42. Former U.S. chief information security officer Gregory Touhill said separate groups of hackers targeting the same software product was not unusual. “It wouldn’t be the first time we’ve seen a nation-state actor surfing in behind someone else, it’s like ‘drafting’ in NASCAR,” he said, where one racing car gets an advantage by closely following another’s lead.
The connection between the second set of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, according to security analysts investigating alongside the U.S. government.
Reuters could not determine what information the attackers were able to steal from the National Finance Center (NFC) or how deep they burrowed into its systems. But the potential impact could be “massive,” former U.S. government officials told Reuters.
The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department, the former officials said.
Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.” The USDA spokesman said in an email: “USDA has notified all customers (including individuals and organizations) whose data has been affected.”
“Depending on what data were compromised, this could be an extremely serious breach of security,” said Tom Warrick, a former senior official at the U.S Department of Homeland Security. “It could allow adversaries to know more about U.S. officials, improving their ability to collect intelligence.”
The NYT said she had run the NSA’s Russia Small Group, responsible for a pre-emptive strike on Kremlin operatives in 2018.
She is currently head of the agency’s Cybersecurity Directorate.
US intelligence agencies believe Russia was behind the SolarWinds attack, which compromised email accounts at the US Department of Justice as well as giving the perpetrators access to the systems of government agencies, businesses and other organisations worldwide.
The full extent of the attack has yet to emerge.
The Kremlin has denied involvement.
SolarWinds sells a widely used network monitoring tool that was altered to provide the hackers with a backdoor.
Microsoft was among the victims and has confirmed some of its source code – the normally inaccessible instructions behind its software – had been accessed.
“Governments have spied on each other for centuries, it would be naive to think or even ask them to stop,” said Mr Smith in his keynote.
“But we’ve long lived in a world where there were norms and rules that created expectations about what was appropriate and what was not.
“And what happened with SolarWinds was not.
“Why? Because this wasn’t a case of one nation simply trying to spy on or hack its way into a computer network of another.
“It was a mass indiscriminate global assault on the technology supply chain that all of us are responsible for protecting.
“It is a danger that the world cannot afford.”
Security experts needed to learn one of the lessons of the 11 September 2001 terror attacks, which had exposed how different US government agencies had failed to share threat information, Mr Smith said.
“We need to move, as the 9/11 Commission said, from a culture where people only gave others information when they had a need to know,” he said.
“And in the words of that commission, change the culture so that people feel a need to share.”
Mr Smith also said there was a greater need to work together to tackle attacks linked to the Covid crisis.
“We have lived through the biggest pandemic in a century,” he said.
“And what did some people use that pandemic to do?
“To launch cyber-attacks against hospitals, against the public health sector, against the World Health Organization, against the first line of critical responders.
“This too should be off limits.”
Ms Neuberger will now be responsible for trying to persuade US agencies and the country’s wider cyber-security sector to work together against such threats.
In her previous role, she coordinated the response of US government agencies to a flaw her team discovered suspected Russian hackers were using.
“It was really great to see five different cyber-security entities using that to identify other Russian intelligence infrastructure and then take that down,” she told CBS News in August.
Last month, Mr Biden said once the extent of the damage the SolarWinds hack had caused was better known, the US would probably “respond in kind”.
There will be many in the cyber-security industry who nodded along enthusiastically with Brad Smith.
The SolarWinds hack has stunned and terrified the sector – particularly those who make and sell software to protect us from hacks.
The last few weeks have been a nightmare scenario playing out in slow motion as more and more details of the scope and depth of the intrusion have been drip-fed to the public.
For the intelligence community though, at least in private, it’s more of a case of: “Why didn’t we think of that?”
All nations hack each other and supply chain attacks like this -albeit not as successful – have been used in the past for spying or disruption.
Clearly the Biden administration is preparing to respond in some way. But in truth, aside from perhaps a public naming and shaming of the hackers, there is little it can do directly to the perpetrators involved.
What happens behind closed doors is far more significant as cyber-defences will need to be rebuilt and potential offensive retaliation planned.
UK security officials are trying to establish the extent of the impact on the UK of a major hacking campaign that threatened national security in the US.
The attack, using US firm SolarWinds’ Orion platform, was discovered last week but has been going on for months.
A number of organisations, including US government departments, are understood to have been targeted.
A UK security source said “numbers in the UK are small and the organisations are not in the public sector”.
But it’s still early days in the investigation and more details could yet emerge.
What is described as a highly sophisticated cyber espionage operation had been under way for some months before it was spotted.
The access provided through compromising software from SolarWinds appears to have been used to steal data rather than for any disruptive or destructive impact.
It could have allowed the hackers to take a high degree of control over organisation’s networks, but just because someone downloaded the software does not necessarily mean data was taken.
It appears those behind it targeted a narrow set of organisations in an attempt to steal national-security, defence and other related information.
There is no sign that significant theft of large amounts of customer or citizen data was an aim of the operation.
Microsoft and US officials have also suggested there might have been other methods of getting into networks as well as via the compromised SolarWinds update. It is possible the attack could pre-date March, when SolarWinds was first affected.
The UK’s National Cyber Security Centre (NCSC) – an arm of intelligence agency GCHQ – is at the forefront of responding and is working with government and industry to provide advice and investigate what might have been stolen.
“This is a complex, global cyber incident, and we are working with international partners to fully understand its scale and any UK impact,” said NCSC director of operations Paul Chichester.
“The NCSC is working to mitigate any potential risk, and actionable guidance has been published to our website. We urge organisations to take immediate steps to protect their networks – and will continue to update as we learn more.”
‘Large-scale digital espionage’
Microsoft said it had informed at least one UK customer that it had been compromised in a linked attack, but the numbers affected are thought to be small and apparently not government-related, although a risk to national security remains.
A full assessment of the damage in the US as well as the UK may take many months, as experts scour networks for signs of data being stolen.
“Based on what we currently know, this is very large-scale digital espionage of the type that’s been going on for many years,” Ciaran Martin, the former head of the NCSC told the BBC.
“This is an unusually sophisticated compromise. It reinforces the point that securing the supply chain is one of the hardest challenges around,”
US officials have suggested they believe Russia was responsible and the type of high-end espionage operation fits in with past behaviour of Russian hackers.
But neither the US nor UK has yet formally and publicly “attributed” the attack, even though it is clear they believe a nation state was responsible.