Suspected Chinese state-backed threat actors exploited a SolarWinds Orion bug to compromise a US government payroll agency, a new report has claimed.
The campaign took place last year and was separate to the successful Russian cyber-espionage plot to spy on multiple government departments, five people familiar with the matter told Reuters.
Although the report was unable to clarify how many organizations were targeted, it claimed that the National Finance Center, a federal payroll agency inside the US Department of Agriculture (USDA), was one.
This alone could represent a serious national security risk, as the agency apparently handles personal and financial information on employees of the FBI, State Department, Homeland Security Department and Treasury Department, among others.
“Depending on what data were compromised, this could be an extremely serious breach of security,” former Department of Homeland Security official, Tom Warrick, told Reuters. “It could allow adversaries to know more about US officials, improving their ability to collect intelligence.”
Sources claimed that the attackers used hacking infrastructure and tools deployed in the past by Chinese state-backed threat groups. The Chinese government said in a statement that it opposes any cyber-attacks and urged those making the allegations to provide supporting evidence.
Unlike the Russians, who compromised an Orion update to gain a foothold in victim systems, among other tactics, these attackers were already inside victim networks when they exploited a bug in the software to move laterally, according to the report.
Bizarrely, the USDA both confirmed the breach with Reuters and then, following publication of the story, denied it.
A SolarWinds spokesperson sent the following statement to Infosecurity:
“The customer's network was compromised in a way that was unrelated to SolarWinds. That breach enabled the attackers to add the malicious Supernova code to Orion software on the customer's network. We are aware of one instance of this happening and there is no reason to believe these attackers were inside the SolarWinds environment at any time. This is separate from the broad and sophisticated attack that targeted multiple software companies as vectors."