British cyber spies are today urgently investigating a major suspected Russian hack that has caused chaos in the US amid fears UK government departments, police forces and private companies could be affected.
The sprawling attack is being called the biggest breach in American history and a ‘grave threat’ to the US government, after hackers got into networks used by the Pentagon, FBI, Treasury, State Department and nuclear security agencies.
Today, the UK Cyber Security Agency said it was investigating the incident, which saw attackers – thought to be working for the Kremlin – get into computer networks by installing a vulnerability in a software update from US tech firm SolarWinds.
The UK Government is refusing to say if any departments or civil authorities have been hit, but publicly-available documents show that the infected update, called Orion, has been used by the Home Office.
SolarWinds clients also include the NHS, the Ministry of Defence, Cabinet Office, Ministry of Justice, GCHQ, the Civil Aviation Authority and police forces. It’s not clear if any of these bodies used the Orion update or if they have been affected.
Microsoft has also been hit, and today it identified 40 clients that had been exposed, including some in the UK. Reports say most of America’s 500 largest companies have been targeted, but the impact on Britain’s private sector is not yet clear.
The number of British companies affected is likely to be small and there is a low chance of customer data breaches, it is understood.
The UK Government is refusing to say if any departments or civil authorities have been hit, but publicly-available documents show that the infected update, called Orion, has been used by the Home Office
How hackers used legitimate software to carry out ‘biggest hack in US history’
The US Cybersecurity and Infrastructure Security Agency has released an alert detailing what it knows about the breach.
CISA says that hackers were able to compromise the supply chain of network management software from SolarWinds, specifically recent versions of the SolarWinds Orion products.
Beginning in March 2020, hackers used SolarWinds software updates to install a secret network backdoor, which authorities are calling SUNBURST.
The malicious code was signed by the legitimate SolarWinds code signing certificate. An estimated 18,000 customers downloaded the compromised updates.
Once installed on a network, the malware used a protocol designed to mimic legitimate SolarWinds traffic to communicate with a domain that has since been seized and shut down.
The initial contact domain would often direct the malware to a new internet protocol (IP) address for command and control. The attackers used rotating IPs and virtual private servers with IP addresses in the target’s home country to make detection of the traffic more difficult.
‘Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence,’ CISA said in the alert.
Officials in the US say the attack went undetected for nearly nine months, allowing the hackers free range in the affected networks, including at the Pentagon, FBI, Treasury, State Department and nuclear security agencies, and that the true scale of the stolen information may never be known.
‘There will be a price to pay for this,’ vowed Dick Durbin, an Illinois Democrat, in a speech in the US Senate today.
‘This is nothing short of a virtual invasion by the Russians into critical accounts of the federal government.’
‘When adversaries such as Russia torment us, tempt us, breach the security of our nation, we need to respond in kind,’ said Durbin, though noting he was not calling for ‘all-out war’.
President-elect Joe Biden also vowed a tough response, saying in a statement: ‘Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults on our nation.’
Biden vowed to ‘disrupt and deter’ future cyber attacks by ‘imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners.’
The White House has not yet commented on the breach. The attack, if authorities can prove it was carried out by Russia as experts believe, creates a fresh foreign policy problem for President Donald Trump in his final days in office.
Officially, the US Cybersecurity and Infrastructure Security Agency has not publicly identified Russia as the source of the attack, and Russia denies involvement. But private security companies say that all signs point to the Kremlin.
Asked whether Russia was behind the attack, a US official said: ‘We believe so. We haven’t said that publicly yet because it isn’t 100 percent confirmed.’
CISA warned the sophisticated attack was hard to detect and will be difficult to undo. ‘This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,’ the agency said in a flash bulletin.
The agency said that the intrusion, which it dubbed SUNBURST, posed a ‘grave risk’ to ‘critical infrastructure’ in both the public and private sector, and at all levels of government.
US president-elect Joe Biden also vowed a tough response, saying in a statement: ‘Our adversaries should know that, as president, I will not stand idly by in the face of cyber assaults’
In a statement to DailyMail.com on Thursday, a Microsoft spokesperson confirmed that the company had detected and removed malicious code from the SolarWinds attack within the company, but denied that any of its products were affected.
Microsoft is one of the world’s largest technology companies, with clients across the public and private sector, and last year was awarded the $10 billion JEDI contract to run the Department of Defense’s cloud computing system.
‘We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others,’ the spokesperson said.
As well, the two agencies responsible for maintaining America’s nuclear weapons stockpile have evidence they were compromised in the attack, which also breached the Pentagon, FBI, Treasury and State Department.
‘This is looking like it’s the worst hacking case in the history of America,’ one US official said on condition of anonymity. ‘They got into everything.’
A UK National Cyber Security Centre spokesman said: ‘We are continuing to investigate this incident and have produced guidance for SolarWinds’ Orion suite customers.
‘While it is important to note this issue has only been reported for the Orion product suite and will therefore not impact all SolarWinds customers, we strongly urge those who are affected to follow our guidance.’
Dmitry Peskov, a Kremlin spokesman, said in response to allegations of Russian involvement: ‘Once again, I can reject these accusations and once again I want to remind you that it was President [Vladimir] Putin who proposed that the American side agree and conclude agreements [with Russia] on cyber security.’
Microsoft was breached in the massive suspected Russian campaign that has hit multiple US government agencies, according to people familiar with the matter