Chinese Hackers Exploit SolarWinds To Steal Federal Payroll Info: Report

Suspected Chinese hackers took advantage of another SolarWinds Orion vulnerability to spread across networks and break into computers at the National Finance Center and other U.S. agencies, Reuters said.

Suspected Chinese hackers took advantage of another SolarWinds software vulnerability to compromise computers at the National Finance Center and other U.S. government agencies, Reuters reported.

FBI investigators recently found that the National Finance Center—a federal payroll agency inside the U.S. Department of Agriculture—was among the agencies impacted by a Chinese hack of SolarWinds that also took place last year, Reuters said, citing people familiar with the matter. Investigators fear that data on thousands of government employees may have been compromised in the attack, Reuters said.

The hackers used computer infrastructure and hacking tools that had previously been deployed by state-backed Chinese cyberspies, according to Reuters. Specifically, Reuters reported the suspected Chinese group exploited a flaw in Orion’s code to help spread across networks they had already compromised. The potential impact of this attack could be “massive,” former U.S. government officials told Reuters.

[Related: Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access]

SolarWinds told CRN the customer’s network was compromised in a way unrelated to the company itself, adding there’s no reason to believe the attackers were inside SolarWinds’ environment at any time. The breach described by Reuters enabled the attack to add malicious Supernova code to the Orion software in the customer’s network, and SolarWinds said it’s aware of one instance of this happening.

“This is separate from the broad and sophisticated attack that targeted multiple software companies as vectors,” SolarWinds said in a statement to CRN.

An Agriculture Department spokesman acknowledged to Reuters that a data breach took place and said all individuals and organizations whose data was affected have been notified. The FBI declined a Reuters request for comment, while the Chinese foreign ministry told Reuters that attributing cyberattacks is a “complex technical issue” and said that any allegations should be supported with evidence.

The FBI and U.S. Department of Agriculture didn’t immediately respond to CRN requests for comment. Security researchers previously said a second group of hackers were abusing SolarWinds’ software at the same time Russian hackers attacked the company, but Reuters Tuesday became the first to report on the suspected connection to China and ensuing federal breach.

The connection between the second set of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, security analysts investigating alongside the U.S. government told Reuters. Reuters said it wasn’t able to determine what information hackers were able to steal from the National Finance Center or how deeply they burrowed into the agency’s systems.

In addition, Reuters said it wasn’t able to establish how many organizations were compromised by the suspected Chinese operation beyond the National Finance Center. The National Finance Center is responsible for handling the payroll of multiple government agencies, including several involved in national security such as the FBI and the U.S. Departments of Homeland Security, State and Treasury.

Records held by the National Finance Center include federal employee Social Security numbers, phone numbers, personal email addresses and banking information, according to Reuters. The National Finance Center services more than 160 diverse agencies, providing payroll services to more than 600,000 federal employees, according to the organization’s website.

FireEye CEO Kevin Mandia said attacks like this have become increasingly normal and will continue happening in the foreseeable future.

“It just sounds like every other breach we’re going to read about [where] the threat actors can act with no risks or repercussions,” Mandia told CRN. “This year, they took advantage of SolarWinds with an implant, maybe a vulnerability. Next year, it’ll be some other application, or many applications.”