Some computer systems at the Commerce Department were compromised in a breach affecting federal agencies and U.S. businesses.
Photo: jim lo scalzo/EPA/Shutterstock
A suspected Russian hack that is rippling across federal agencies and U.S. businesses highlights the far-reaching impacts of attacks on supply chains.
Customers of the software provider SolarWinds Inc. began unknowingly installing malware this spring through seemingly routine updates to a network-management tool, the company reported in a regulatory filing Monday. The updates included a weak point created by attackers and could have exposed nearly 18,000 of the Austin, Texas, company’s 300,000 customers.
While the fallout remains unclear, the monthslong campaign by the hackers underscores the complexities of vetting and defending sprawling supply chains, cybersecurity experts say. The hack comes as many companies and governments attempt to streamline their suppliers and as many vendors respond by offering more services, according to Jeff Pollard, a cyber analyst at Forrester Research Inc.
“[These attackers] are weaponizing market share and scale against a software provider,” Mr. Pollard said. “That’s incredibly concerning.”
Some computer systems at the Commerce and Treasury departments, as well as the Department of Homeland Security, were compromised as a result of the attack. SolarWinds lists many additional customers on its website—425 of the Fortune 500 companies and additional U.S. agencies—but it is unclear how many and which have been affected.
Mr. Pollard said such reach can allow attackers to hit multiple targets through a single entry point.
“While there’s a lot of advantages of centralizing from a procurement perspective, you have to wonder if you concentrated too much risk in the U.S. government,” he said. “You’re not going to put the president and vice president on the same flight.”
The shock waves could extend elsewhere across the public and private sectors. The Cybersecurity and Infrastructure Security Agency issued an emergency alert Sunday night urging federal agencies to disconnect from the affected SolarWinds product. The Electricity Subsector Coordinating Council, an executive roundtable for the electric sector, said in a statement Monday that it “conducted a situational awareness call” to discuss the threat and coordinate an industry wide response.
Local governments are also on high alert because of the SolarWinds breach, said Mike Hamilton, co-founder of the cybersecurity firm Critical Informatics Inc. Mr. Hamilton said SolarWinds “is ubiquitous” among local governments, which make up a large portion of his firm’s customers. In recent days, they have scrambled to update the software in question and monitor systems for other suspicious activity.
“Everybody is worried about being extorted,” said Mr. Hamilton, formerly the chief information security officer for the City of Seattle. He cited local governments’ fears of criminal groups affiliated with the attackers “dropping the ransomware bomb and lighting the fuse.”
Russia’s foreign-intelligence service is thought to be behind the attack but the Russian Embassy in Washington has denied those claims, The Wall Street Journal reported Sunday. The incident is tied to a breach the cybersecurity firm FireEye Inc. disclosed last week.
A SolarWinds representative said the company is working with FireEye and federal law-enforcement officials to investigate the attack, and declined to provide further information.
The U.S. government increasingly has warned of such supply-chain attacks in recent years after a string of high-profile incidents have wrought huge financial and legal damage.
Russian attackers used an update to Ukrainian tax software when launching the NotPetya attack in 2017, costing companies billions globally. A 2018 hack of a small debt-collection firm in Elmsford, N.Y., exposed health and payment data for a combined 19.6 million patients of Laboratory Corp. of America Holdings and Quest Diagnostics Inc. More than 200 schools, hospitals and other organizations that use services from Blackbaud Inc. reported this year that a ransomware attack at the tech firm put personal information at risk.
Still, many public- and private-sector efforts to examine suppliers’ security is lacking, cybersecurity experts say. Twenty-three federal departments and agencies oversee separate pieces of national cybersecurity policy and response, leading to unclear responsibilities and reporting lines, according to a September assessment from the Government Accountability Office.
Ben Johnson, founder and chief technology officer of Obsidian Security Inc., said few companies have the wherewithal to vet hundreds or thousands of vendors. He advised firms to restrict suppliers’s data access as much as possible and to mentally prepare for third-party breaches.
“Assume this is compromised,” said Mr. Johnson, a former cyber specialist for the National Security Agency. “Assume this fails.”
—Catherine Stupp and Kim S. Nash contributed to this article.
Write to David Uberti at [email protected]
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
This post first appeared on wsj.com
