Russian hackers have breached US government and private organization networks around the world in a widespread espionage campaign that uses the global software supply chain to infect targets.
The U.S. Treasury and Commerce Departments are among the U.S. government agencies hit in an operation that multiple news outlets said, citing people familiar with the matter, was led by Cozy Bear, a hacking group believed to be part of the Russian foreign intelligence service, abbreviated as the SVR. News of the attacks came on Sunday, five days after the $3.5 billion security firm FireEye said on Tuesday it had been hacked by a nation-state.
On Sunday night, FireEye said the attackers infected targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers used it to install a backdoor that FireEye researchers call Sunburst.
“FireEye has detected this activity across multiple entities worldwide,” FireEye researchers wrote. “The victims include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We expect more casualties in other countries and industries. FireEye has notified all entities that we know are affected.”
After using the Orion update mechanism to gain a foothold on targeted networks, Microsoft said in its own post, the attackers steal signing certificates that allow them to impersonate any of a target’s existing users and accounts, including highly privileged accounts.
In a separate post, FireEye said it identified multiple organizations that appear to have been infected as early as last spring. “Our analysis indicates that these trade-offs do not propagate by themselves,” the company’s researchers said. “Each of the attacks requires careful planning and manual interaction.”
SolarWinds says its monitoring products it released in March and June this year may have been surreptitiously weaponized in a “highly sophisticated” nation-state attack.