Security teams moved to contain the fallout of a widespread cyberattack by suspected Russian hackers, who have been able to spy on the customers of U.S. information technology company SolarWinds unnoticed for more than eight months, Reuters reported.
The U.S. Department of Homeland Security issued an emergency warning on Sunday, ordering users to disconnect and disable SolarWinds software which it said had been compromised by “malicious actors.”
The U.S. warning came after Reuters reported that suspected Russian hackers had used hijacked software updates to break into multiple American government agencies, including the Treasury and Commerce departments.
Russia denied having any connection to the attacks.
Kremlin spokesman Dmitry Peskov said the allegations reported by Reuters and other media outlets were false.
“If there have been attacks for many months, and the Americans could not do anything about it, it is probably not worth immediately groundlessly blaming the Russians,” he said. “We didn’t have anything to do with it.”
The potential scale of the compromise is enormous. SolarWinds boasts 300,000 customers, including the majority of the United States’ Fortune 500 companies, and some of the most sensitive agencies in the U.S. government – including the Pentagon, the National Security Agency, and the White House.
Any organisation running an updated version of the company’s Orion network management software would have had a “backdoor” installed in their computer systems by the attackers.
“After that, it’s just a question of whether the attackers decide to exploit that access further,” said one of the sources.
However initial indications suggest that the hackers were discriminating about who they chose to break into, according to two people familiar with the wave of corporate cybersecurity investigations being launched Monday morning.
One executive said his company was hunting for SolarWinds-related compromises but had found “surprisingly little.”
“We are seeing some things light up, but not what I would have thought was the market penetration of SolarWinds,” he said.
Another person familiar with a second company’s investigation into the hack said that the hackers appeared mission-focused.
“What we see is far fewer than all the possibilities,” he said. “They are using this like a scalpel.”
SolarWinds has declined to put a figure on the number of customers affected by the breach, but said the attack appeared to be “narrow, extremely targeted, and manually executed.”
Investigators around the world are now scrambling to find out who was hit.
FireEye, a prominent cybersecurity company that was breached in connection with the incident, said in a blog post here that other targets included “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.”
Microsoft said in a blog post they had first seen malicious copies of the SolarWinds software deployed by the hackers last March.
In Britain, where publicly-available SolarWinds sales documents show multiple government departments use the company’s software, a spokesman for Prime Minister Boris Johnson said investigations were ongoing.
“The National Cyber Security Centre is working to assess any UK impact, but we’re not aware of any UK-related impact at this time,” the spokesman told reporters.
Emails sent by officials at DHS, which oversees border security and defense against hacking, were monitored by the hackers as part of the sophisticated series of breaches, Reuters reported.
SolarWinds, which was the key steppingstone used by the hackers, said up to 18,000 of its customers had downloaded a compromised software update that allowed hackers to spy unnoticed on businesses and agencies for almost nine months.
The United States issued an emergency warning on Sunday, ordering government users to disconnect SolarWinds software which it said had been compromised by “malicious actors.”
That warning came after Reuters reported suspected Russian hackers had used hijacked SolarWinds software updates to break into multiple American government agencies, including the Treasury and Commerce departments.
One of the people familiar with the hacking campaign said the critical network that DHS’ cybersecurity division uses to protect infrastructure, including the recent elections, had not been breached.
DHS said it was aware of the reports, without directly confirming them or saying how badly it was affected.
DHS is a massive bureaucracy among other things responsible for securing the distribution of the COVID-19 vaccine.
The cybersecurity unit there, known as CISA, has been upended by President Donald Trump’s firing of head Chris Krebs after Krebs called the presidential election the most secure in American history. His deputy and the elections chief have also left.
The Pentagon said on Monday it is aware of the reports but was not able to comment on “specific mitigation measures or specify systems that may have been impacted.”
The National Security Agency and Joint Force Headquarters Commanders issued guidance and directives to protect DoD networks and IT systems.
SolarWinds said in a regulatory disclosure it believed the attack was the work of an “outside nation state” that inserted malicious code into updates of its Orion network management software issued between March and June this year.
