(Reuters) – Suspected Chinese hackers exploited a software shortage made by SolarWinds Corp. To help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a widespread cyber security breach that U.S. lawmakers have identified as a national security emergency.
Two people who were informed about the case said that FBI investigators recently found that the National Finance Center, a federal payroll agency within the US Department of Agriculture, was among the affected organizations, raising concerns that data on thousands of government employees may have been compromised.
Software flaws exploited by the suspected Chinese group are separate from the one the United States has accused Russian government operators of using to compromise up to 1
Security researchers have previously said that a group of hackers abused SolarWind's software at the same time as the alleged Russian hack, but the suspected connection to China and the subsequent US government has not been reported before. of the suspected Chinese operation. The sources, who spoke at the level of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously used by state-backed Chinese cyberspies.
The Chinese Foreign Ministry said that attributing cyberattacks was a "complex technical issue" and all allegations should be supported by evidence. "China opposes and resolutely fights all forms of cyberattacks and theft," it said in a statement.
SolarWinds said it was aware of a single customer being compromised by the second set of hackers but that it "did not find anything crucial" to show who was responsible, adding that the attackers did not have access to their own internal systems and that it had released an update to fix the bug in December. software once in the client's network. SolarWinds did not say how the hackers first came in, except to say that it was "in a way that was not related to SolarWinds."
A USDA spokesman acknowledged that there had been a data breach but declined to comment further. The FBI declined to comment.
Although the two espionage operations overlapped and both targeted the US government, they were separate and distinctly different operations, according to four people has investigated the attacks and external experts who reviewed the code used by both sets.
While the alleged Russian hackers train Deep into the SolarWinds network and hiding a "backdoor" in Orion software updates, which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion's code to help spread across networks they had already compromised with, said the sources.
& # 39; Extremely Serious Intrusion & # 39;
Assignments side by side show how hackers focus on weaknesses in obscure but essential software products that are widely used by large companies and authorities.
"Apparently, SolarWinds was a high value target for more than one group," said Jen Miller-Osborn, deputy director of real intelligence at Palo Alto Networks' Unit42.
Former US Chief Information Security Officer Gregory Touhill said that separate groups of hackers targeting the same software product were not uncommon. "It would not be the first time we've seen a nation state actor surf behind someone else, it's like 'working out' in NASCAR," he said, where a race car gains an advantage by carefully following someone else's lead.  The link between the second set of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, according to security analysts investigating with the US government.
Reuters could not determine what information the attackers could steal from the National Finance Center or how deep they dug into its system. But the potential impact could be "massive," former U.S. government officials told Reuters.
NFC is responsible for managing the salaries of several government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security. The department and the Ministry of Finance, said the former officials.
Records held by NFCs include federal employees' social security numbers, telephone numbers and personal email addresses, as well as banking information. On its website, the NFC states that it "provides more than 160 different agencies that provide payroll services to more than 600,000 federal employees."
The USDA Spokesman stated in an email: “The USDA has notified all customers (including individuals and organizations) whose information has been affected. "
" Depending on what data was compromised, this could be an extremely serious security breach, "said Tom Warrick, a former senior official in the U.S. Department of Homeland Security. "It can enable opponents to learn more about US officials and improve their intelligence-gathering ability."