Hackers who breached the computer systems of U.S. government agencies including the Treasury Department appear to have hidden malicious code in the body of legitimate software updates, according to cybersecurity experts.
Investigators have traced the hack — which one U.S. official said is “probably going to be one of the most consequential cyberattacks in U.S. history” — to updates of the Orion technology management software that were released between March and June of this year.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” a spokesman for SolarWinds Worldwide, the manufacturer of the software, said.
In supply-chain attacks, hackers exploit a flaw in a common product or service used widely across the internet to rapidly hack scores of victims before the compromises are detected.
“The apparent use of a flaw in SolarWinds technology could be problematic,” The Wall Street Journal said, noting that the company claims to have more than 300,000 customers world-wide, including more than 400 of the U.S. Fortune 500 companies.
The National Security Council on Monday held its second meeting in three days about the attack, which security experts have linked to Russian intelligence. The hackers reportedly broke into networks at the Treasury, Commerce, and Homeland Security departments, accessing their email systems.
According to The New York Times, the malign code was entered when the hackers broke into the periodic automatic updates of the Orion software, much like when an iPhone is updated overnight. Once they were in the software, they were able to break into victims’ Microsoft email servers by forging the authentication tokens that tell the system who should be granted access.
The Times said it was unclear how many of SolarWinds’ customers use the Orion platform or whether they were all targets. But Chris Krebs, who served as the top cybersecurity official at the Department of Homeland Security before being fired by President Trump last month, said Orion users should assume they have been compromised.
“Hacks of this type take exceptional tradecraft and time,” he said on Twitter.