Second Solar Winds Hack Targeted Federal Payroll Agency – China Suspected

Late last year suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp in order to break into U.S. government computers people familiar with the matter told Reuters.

The software flaw exploited by the Chinese group is separate from the one used by suspected Russian government operatives that compromised up to 18,000 SolarWinds customers, including sensitive federal agencies, through the company’s Orion network monitoring software.

Security researchers suspected a second group of hackers was using SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China has not been previously reported.

Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity, said the attackers used known computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture (USDA), was among the affected organizations, raising fears that data on thousands of government employees may have been compromised to China.

A USDA spokesman said in an email “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Compromise.”

In a follow-up statement after the story was published, a different USDA spokesman said the NFC was not hacked and that “there was no data breach related to Solar Winds” at the agency. He did not provide further explanation.

The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.

SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible.

SolarWinds did not say how the hackers first got in, except to say it was “in a way that was unrelated to SolarWinds.”

According to four people who have investigated the attacks and outside experts who reviewed the code used by both sets of hackers, though the two hackings overlap and both targeted the U.S. government, they were distinctly different operations,

While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said.

The side-by-side missions show how hackers are focusing on weaknesses in obscure but essential software products that are widely used by major corporations and government agencies.

“Apparently SolarWinds was a high value target for more than one group,” said Jen Miller-Osborn, the deputy director of threat intelligence at Palo Alto Networks’ Unit42.

Former U.S. chief information security officer Gregory Touhill said separate groups of hackers targeting the same software product was not unusual. “It wouldn’t be the first time we’ve seen a nation-state actor surfing in behind someone else, it’s like ‘drafting’ in NASCAR,” he said, where one racing car gets an advantage by closely following another’s lead.

The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department, the former officials said.

Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.”

“Depending on what data were compromised, this could be an extremely serious breach of security,” said Tom Warrick, a former senior official at the U.S Department of Homeland Security. “It could allow adversaries to know more about U.S. officials, improving their ability to collect intelligence.”