IT systems of several US government agencies were breached as part of a widespread hacking campaign believed to be the work of the Russian government.

In an operation related to the FireEye breach revealed last week, hackers were able to gain access to agencies using a malicious software update introduced in a product from SolarWinds.

A significant breach

HPE hackers
– Sebastian Moss

The attack was discovered by FireEye during the cybersecurity company's investigation into its own breach. Hackers added sophisticated malware to SolarWinds' network monitoring software in updates sent out to customers in March and June - among them FireEye.

"We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain," FireEye CEO Kevin Mandia said. "This compromise is delivered through updates to a widely-used IT infrastructure management software - the Orion network monitoring product from SolarWinds."

SolarWinds said that it is “acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters." The company has more than 300,000 customers, including 425 of the US Fortune 500 companies.

Among its customers are all five branches of the US military, the State Department, NASA, Department of Justice, Office of the President of the United States, the Federal Reserve, the National Security Agency, the Secret Service, and contractors Booz Allen Hamilton and Lockheed Martin. The top ten largest US telcos all use SolarWinds.

Following the hack's discovery, the Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency directive calling on all federal civilian agencies to disconnect or power down SolarWinds Orion products immediately.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales.

“Tonight’s directive (21-01) is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners - in the public and private sectors - to assess their exposure to this compromise and to secure their networks against any exploitation.”

The incident is thought to be one of the most severe in years, with several government agencies likely compromised for months. SolarWinds does not believe its managed services business was impacted by the hack.

The scale and scope of the breach is not known, but as part of the hacking campaign, it is thought that internal email traffic at the Treasury and Commerce departments was monitored. The hack was so serious, it led to a National Security Council meeting at the White House on Saturday, Reuters reports.

"We paid attention to another unfounded attempt of the US media to blame Russia for hacker attacks on US governmental bodies," the Russian Embassy said.

Further reading