Suspected Russia SolarWinds Hack Exposed After FireEye Cybersecurity Firm Found 'Backdoor'

A widespread hack of software giant SolarWinds was found by cybersecurity firm FireEye as it investigated how its own systems were infiltrated in the same campaign—which is suspected of being the work of Russia.

Officials from California-based FireEye's incident response division, known as Mandiant, confirmed on Monday that its teams were first to raise the alarm to SolarWinds and U.S. law enforcement after discovering the far-reaching security compromise.

"We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds," Charles Carmakal, senior vice president and chief technical officer at Mandiant, told Bloomberg.

FireEye confirmed on December 8 that its systems had been breached by "a nation with top-tier offensive capabilities." It said evidence suggested state-sponsored culprits had accessed its offensive hacking tools used to test its customers' security.

The SolarWinds attack seemingly went undetected for months as hackers were able to sneak into U.S. government agencies, putting sensitive information at risk of theft.

The National Security Agency (NSA) was apparently not aware until alerted by FireEye, The New York Times reported. The agency was listed as a SolarWinds customer.

"If this actor didn't hit FireEye, there is a chance that this campaign could have gone on for much, much longer. One silver lining is that we learned so much about how this threat actor works and shared it with our [partners]," Carmakal said.

The fallout from the cyber-intrusion grew late on Monday as it was acknowledged that a slew of powerful agencies had possibly been hit, including the Department of Homeland Security (DHS), the State Department, Commerce, Treasury and the Pentagon.

Multiple sources said to be familiar with the investigation told Reuters on Monday that Russia was believed to be responsible for the cyberattack. Bloomberg reported the FBI was probing if a Russian hacking unit called APT29, or Cozy bear, was involved in the FireEye attack, but the cybersecurity company has not confirmed any attribution.

“The NSC is working closely with @CISAgov, @FBI, the intelligence community, and affected departments and agencies to coordinate a swift and effective whole-of-government recovery and response to the recent compromise.” – NSC spokesman John Ullyot

— NSC (@WHNSC) December 14, 2020

Investigations will continue to understand the full extent of the hack, which was able to abuse an alleged vulnerability in a SolarWinds monitoring platform called "Orion." It has been suspected that the motivation behind the compromise was cyber-espionage.

According to a now-removed customer page on its website, SolarWinds software was used by more than 425 firms on the Fortune 500, all branches of the U.S. military, the Centers for Disease Control and Prevention (CDC), all of the top-10 American telecom companies, the Department of Justice, the Office of the President, NASA, NOAA, the Postal Service and "hundreds of universities" and colleges globally.

But SolarWinds said in an advisory the incident appeared to be an "extremely targeted and manually executed attack, as opposed to a broad, system-wide attack." It is not known which of the Texas-based software firm's clients were breached.

The firm's client base tops 300,000. Approximately 18,000 are believed to have been potentially compromised in the nation-state cyberattack, SolarWinds said.

The attack was a "supply chain attack" that pushed booby-trapped software updates to SolarWinds customers in order to distribute a type of malware called Sunburst, FireEye said in a blog post on Monday, stressing that the incident is ongoing.

"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries," the company added, warning those responsible are highly-skilled and their malware could have been used for "data theft."

In a statement this week, a SolarWinds spokesperson said compromised Orion updates are believed to have been released between March and June this year.

FireEye did not release names of suspected victims. Russia's U.S. embassy rejected the allegations of state hacking in a statement posted to its Facebook account on Sunday, saying the claims were "unfounded" and that it does not engage in cyberattacks.

Stock: Hacker stealing information
Stock image showing a hacker stealing information. A widespread hack of software giant SolarWinds was first flagged by cybersecurity firm FireEye as it was investigating how its own systems were infiltrated during the incident, officials have said. iStock