The hacker group behind the ongoing SolarWinds scandal found other ways to intrude on U.S. firms and public agencies than just compromising the titular software company. In fact, nearly a third of the victims of the hack—approximately 30%—have no connection to SolarWinds at all, said a senior federal security official this week.
Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told the Wall Street Journal that the hackers “gained access to their targets in a variety of ways” and that it “is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
Indeed, the cybersecurity scandal—which has proved to be the biggest in U.S. history—unfortunately became known as “SolarWinds” after hackers used trojanized malware to infiltrate the company and its clients by way of its popular Orion software, an IT management program commonly used by government agencies.
But, as has been previously reported, the hackers appear to have leveraged a multitude of strategies to worm their way into U.S. entities—not just by hacking into Orion. This has included exploiting improperly secured administrative credentials, password spraying, and even, apparently, just guessing passwords. They also compromised other companies independent of the SolarWinds supply chain, such as Microsoft, FireEye and Malwarebytes, and also seem to have used Microsoft’s cloud-based Office software to access certain government agencies.
Indeed, investigators are still untangling the path of the hackers and the route they took as they wended their way into a vital U.S. supply chain. The Wall Street Journal reports:
SolarWinds itself is probing whether Microsoft’s cloud was the hackers’ initial entry point into its network, according to a person familiar with the SolarWinds investigation, who said it is one of several theories being pursued.
The hack has affected a disturbing number of powerful federal agencies, including the Department of Defense, the federal judiciary, the Treasury, the Departments of Commerce, Labor, and State, the DOJ, and the National Nuclear Security Administration (NNSA), which is in charge of securing America’s nuclear stockpile, among others.
President Joe Biden has vowed to punish the culprits—recently saying that he would assure “substantial costs” on those responsible. He has also promised to invest more heavily in efforts to secure federal agencies and has said he will make cybersecurity a more central, strategic part of his presidency than his predecessor did.
The U.S. government has tentatively blamed Russia for the hack, putting out a statement earlier this month in which it said “an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks.”
However, some private firms have been more cautious with attribution. Benjamin Reed, the director of threat intelligence at FireEye (which was also hacked by the same actor) recently said he had “not seen enough evidence” to determine whether the actor came from Russia, though he called it “plausible.” Russia has denied responsibility.