Exclusive: Chinese spies suspected of using SolarWinds bug to spy on US payroll – sources

WASHINGTON (Reuters) – Suspicious Chinese spies took advantage of a fault in software made by SolarWinds Corp to help break into U.S. government computers last year, said five people familiar with the investigation. case to Reuters, marking a new version in a sprawling cybersecurity breach that U.S. lawyers have announced. national security crisis.

PHOTO FILE: SolarWinds Corp. Flag. hanging at the New York Stock Exchange (NYSE) on the day of the company’s IPO in New York, USA, October 19, 2018. REUTERS / Brendan McDermid

Two people who received information about the case said FBI investigators recently found that the National Treasury, a federal payroll within the U.S. Department of Agriculture, was among the organizations affected, raising fears. that data on thousands of government employees could be compromised.

The software fault used by the Chinese suspect agency is separate from the one the United States has accused Russian government employees of using up to 18,000 customers. SolarWinds, including sensitive federal agencies, with the removal of the company’s Orion network monitoring software.

Security researchers have previously said that a second group of hackers misused SolarWinds software at the same time as the alleged Russian charge, but it has not been reported. suspects with China and following the US government ‘s breach.

Reuters was unable to determine how many groups were suspected as a result of Chinese activity. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers were using computer infrastructure and hockey devices previously used by state-backed Chinese cyberspies.

The Chinese foreign ministry said the eradication of cyberattacks was a “complex technical issue” and that there should be no evidence. “China strongly opposes and fights any form of cyberattacks and cyber theft,” she said in a statement.

SolarWinds said it was aware of one customer who had been put at risk by a second set of hackers but had “found nothing final” to show who was to blame. The company said the attackers did not gain access to their own internal systems and had released an update to fix the software bug in use in December.

A spokesman for USDA acknowledged that a data breach had occurred but declined further comment. The FBI declined to comment.

Although the two spying attempts were interrupted and both targeted at the U.S. government, they were separate and completely different operations, according to four people who have examined the attackers and outside experts who revised the code used by both sets of hackers.

While the alleged Russian hackers penetrated deep into the SolarWinds network and hid a “back door” in Orion software updates that were then sent to customers , the suspected Chinese group took advantage of a separate bug in Orion code to help spread over already compromised networks, sources said.

‘SPECIAL BRITAIN’

The side-by-side missions show how hackers focus on vulnerabilities in obscure but essential software that is widely used by major corporate and government agencies.

“SolarWinds appeared to be a high value target for more than one organization,” said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks ’Unit42. Former U.S. chief information security officer Gregory Touhill said individual groups of hackers targeting the same software product were not uncommon. “This isn’t the first time we’ve seen a national state actor surf in behind someone else, it’s like a ‘drafting’ in NASCAR,” he said, where one racing car benefit by following someone else’s lead closely.

The link between the second set of attacks on SolarWinds customers and Chinese spies was discovered only a few weeks ago, according to security analysts investigating with the U.S. government.

Reuters could not determine what information the attackers could steal from the National Treasury (NFC) or how deep they dug into their systems. But the potential impact could be “enormous,” former U.S. government officials told Reuters.

The NFC is responsible for handling the payment handling of multiple government agencies, including several involved in national security, such as the FBI, the State Department, the Department of Homeland Security and the Department of the Treasury, the Department of Finance said. former officers.

Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC states that it “serves more than 160 diverse organizations, providing payroll services to more than 600,000 Federal employees.” A USDA spokesman said in an email: “USDA has contacted all customers (including individuals and organizations) affected by the data. ”

“Depending on what data was compromised, this could be a real security breach,” said Tom Warrick, a former chief executive of the U.S. Department of Homeland Security. “It could allow enemies to find out more about U.S. officials, improving their ability to gather intelligence. ”

Reporting with Christopher Bing and Raphael Satter in Washington, Joseph Menn in San Francisco, and Jack Stubbs in London; Additional statement by Brenda Goh in Shanghai; Edited by Jonathan Weber and Edward Tobin

.Source