Mission-critical US government agencies and large companies, including Microsoft, have been targeted by a huge cyber-attack.

The hacking breach used IT monitoring software from Texas-headquartered SolarWinds.

They have now been ordered by US security agencies to deactivate the software to stop the long-term attacks spreading, which are believed to have started at the beginning of the pandemic this March, when thousands of updates to the software were downloaded by government agencies and companies.

SolarWinds has admitted around 18,000 organisations globally downloaded the rogue software.

It first came to light when SolarWinds customer cyber security vendor FireEye last week declared it had been the victim of a cyber attack - initially without publicly putting SolarWinds in the frame.

The software contained the tools to allow hackers to get into the networks of those organisations that had downloaded it, after the attackers initially breached the systems of SolarWinds to insert those tools.

The US Treasury also reported a serious cyber-attack earlier this week.

The large majority of those affected by the attacks are in the US, but other companies reportedly affected are in Europe, including in the UK.

In response, the Federal Bureau of Investigation, the US Cybersecurity and Infrastructure Security Agency (CISA) and the US Office of the Director of National Intelligence (ODNI) have joined forces to co-ordinate the nation's response to the hacks.

They said: “This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.

“The FBI is investigating and gathering intelligence in order to attribute, pursue and disrupt the responsible threat actors.”

They added: “CISA took immediate action [this week] and issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network.

“CISA remains in regular contact with our government, private sector and international partners, providing technical assistance upon request, and making needed information and resources available to help those affected recover quickly from this incident.”

They added: “CISA is engaging with our public and private stakeholders across the critical infrastructure community to ensure they understand their exposure and are taking steps to identify and mitigate any compromises.”

CISA acting director Brandon Wales said: “The compromise of SolarWinds’ Orion network management products poses unacceptable risks to the security of federal networks.”

The UK National Cyber Security Centre has issued the following guidance to organisations affected by the hack:

“SolarWinds Orion has been compromised and may be used for onward attacks against systems connected to the product.

“An attacker has been able to add a malicious, unauthorised modification to SolarWinds Orion products which allows them to send administrator-level commands to any affected installation.

“This modification causes the Orion products to connect to an attacker-controlled server to request instructions and does not rely on the attacker being able to directly connect from the internet to the Orion server.”

It added: “There is evidence of the attacker using this capability in some cases to move from a single Orion server to other parts of the victim’s IT network.

“Not all customers who have an installation with the unauthorised, malicious modification will have been seriously affected, but all should take immediate action.”

Last night, SolarWinds issued the following security update: “SolarWinds was the victim of a cyber attack to our systems that inserted a vulnerability [named SUNBURST] within our Orion platform software builds for versions 2019.4 HF 5, 2020.2 with no hot-fix installed and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”

It said: “This attack was a very sophisticated supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software.

“In this case, it appears that the code was intended to be used in a targeted way as its exploitation requires manual intervention. We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker.”

None of the national security agencies have so far publicly blamed anyone specifically for the hack.

Share Story: