Cyberwarfare / Nation-State Attacks , Email Security & Protection , Endpoint Security

China Tied to Separate SolarWinds Espionage Campaign

US Government Payroll Provider Hit, Apparently by Chinese Hackers, Reuters Reports
China Tied to Separate SolarWinds Espionage Campaign

Data breaches often turn out to be worse than they first appear, as investigators begin probing exactly what happened and when.

See Also: Top 50 Security Threats

The massive SolarWinds supply chain attack, which was identified by FireEye in December 2020 after it traced back a breach of its systems that resulted in the theft of penetration testing tools, has already fit that mold in spades. Now, it appears that attackers had backdoored SolarWinds' Orion network monitoring software by last March, which was used by 18,000 customers.

Incident responders have been racing to identify exactly who then got hit with second-stage attacks via the Orion backdoor, dubbed Sunburst, as well as what types of information they may have stolen. Victims are suspected to number in the hundreds, and are known to include Microsoft and Cisco, as well as the U.S. government's Commerce, Energy, Homeland Security, Justice, Labor, State and Treasury departments.

Much about the SolarWinds hack remains unknown, including how attackers first accessed the Texas-based software company's systems, as well as their full MO.

But here's yet another surprise: While SolarWinds has been tied by the U.S. government and many cybersecurity experts to a Russian espionage operation, a new report from Reuters says that suspected Chinese spies also exploited SolarWinds software to help hack at least one government agency.

Specifically, two unnamed individuals with knowledge of the FBI's investigation have told Reuters that infrastructure and hacking tools previously used by Chinese attackers was used to exploit SolarWinds and penetrate multiple targets, including the U.S. Department of Agriculture's federal payroll agency, the National Finance Center.

While that might sound relatively innocuous, the NFC is a U.S. government shared service center for the Office of Personnel Management, stating on its website that it "now services more than 160 diverse agencies, providing payroll services to more than 600,000 federal employees."

Reuters reports that some of the agencies for which it handles payroll have a national security function, "such as the FBI, State Department, Homeland Security Department and Treasury Department," and that stores such personal information as federal employees' Social Security numbers, phone numbers and personal email addresses as well as banking information."

The Chinese government has denied any involvement.

OPM Breach Redux?

Chinese intelligence agencies were previously tied by many security experts to the massive hack of the Office of Personnel Management, which came to light in 2015. The breach resulted in the theft of personal information of millions of government employees and retirees. Security experts said the exposed information could have been used to better understand who was working for the U.S. government and in what capacity, as well as for intelligence recruitment, for example, by blackmailing targets.

On the SolarWinds front, the U.S. government has been warning since December 2020 that a second group of hackers also appeared to have been exploiting flaws in the Orion software. But this is the first time that the China has been named.

Reuters reports that unlike the Russian operation, which involved planting Sunburst in the SolarWinds software development build pipeline, the allegedly Chinese hackers instead first penetrated victims' networks, and then used an unspecified flaw in SolarWinds software to help them move across the victim's network.

SolarWinds wasn't immediately available for comment, but told Reuters that it had knowledge of another SolarWinds customer having been successfully hacked by a second group of hackers, although it had “not found anything conclusive” about the attacker's identity.

Multiple Flaws Could Have Been Exploited

Numerous flaws that have been discovered in SolarWinds software could potentially have been exploited by hackers.

On Wednesday, Martin Rakhmanov, a Trustwave SpiderLabs security research manager, detailed three vulnerabilities that he discovered in SolarWinds software in late December 2020, which he reported to the vendor. All have now been patched via recent SolarWinds software updates.

Rakhmanov has urged all customers to update, warning that he'll release proof-of-concept execution code on Tuesday. All three of the patched flaws are serious, he says, with one allowing for full remote-code execution capabilities, meaning hackers could exploit it to take full control of a system.

  • SolarWinds Orion platform vulnerability (CVE-2021-25274): Thanks to use of the outdated Microsoft Message Queue functionality, unauthenticated users can send messages allowing them to take full control of a system.
  • SolarWinds Orion Platform vulnerability (CVE-2021-25275): Due to this database security flaw, Rakhmanov says "unprivileged users who can log in to the box locally or via remote desktop protocol will be able to run decrypting code and get a cleartext password" for accountholders, gain complete control of an Orion database, and add themselves as an admin user.
  • SolarWinds Serv-U FTP vulnerability (CVE-2021-25276): Any authenticated Windows user can create an account with unlimited privileges.

"To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any 'in the wild' attacks," Rakhmanov says. "However, given the criticality of these issues, we recommend that affected users patch as soon as possible."

Orion's Microsoft message queue, or MSMQ, used unsecured messaging queues (Source: Trustwave SpiderLabs)

Fresh Hacking Details Keep Emerging

Much about the SolarWinds campaign - or campaigns - remains unclear. Brandon Wales, the acting director of the U.S. Cybersecurity and Infrastructure Security Agency, which is helping probe the attack, last week told the Wall Street Journal that about 30% of the hacking campaign's victims didn’t appear to be SolarWinds customers. To breach their systems, hackers apparently used a variety of other tactics, including password spraying and exploiting flaws in other types of software, including for Microsoft Office 365.

SolarWinds CEO Sudhakar Ramakrishna

On Tuesday, SolarWinds CEO Sudhakar Ramakrishna told The Wall Street Journal that hackers appear to have first breached some of the company's Office 365 email accounts in December 2019. But he says it remains unclear how they gained further access to the company's networks, and whether that might be tied to an as-yet-undiscovered, earlier intrusion.

Victims of the SolarWinds hack continue to come to light, reinforcing what is already a picture of a campaign with profound national security implications. Among the recently identified victims, for example, is the U.S. circuit court system. AP reports that Russian espionage hackers "probably gained access to the vast trove of confidential information hidden in sealed documents, including trade secrets, espionage targets, whistleblower reports and arrest warrants." As a result, the court system has begun requiring that any sensitive material only be submitted on paper, rather than electronically.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.