Ehe Russian hacker group, which is assigned to the Russian foreign intelligence service SWR, has successfully carried out a spectacular espionage attack against the entire western world. The hackers had digitally infiltrated the US network security provider Solarwinds since at least May and were able to install a back door in the computer networks of all Solarwinds customers via its systems.
The Solarwinds customer list reads like a who’s who of international corporations; 425 of the Fortune 500 companies in the USA use the software concerned, including defense companies such as Lockheed Martin. Various US ministries, the US military, all major cell phone network operators and universities also use the infiltrated product called “Orion”.
In Europe, Siemens, NATO, the British National Health Service and the European Parliament are among the Solarwinds customers. But smaller companies such as Sparkasse Hagen are also on the company’s reference customer list.
The Washington Post reports that hackers with connections to the Russian secret service SWR are responsible for the attacks on the Ministry of Finance and Commerce and other US authorities. It is unclear what information was stolen. The cyber attacks had been going on for months. These are the same hackers who attacked the FireEye IT security company that US authorities often use in cyberattacks.
Microsoft, the security service provider FireEye and Solarwinds themselves warn of the consequences of the attack in drastic words: Orion is used for the automated management and control of large computer networks in companies – whoever can start here can take control of all computers in a company.
Ignorant developers installed espionage update
FireEye describes the capabilities of the spy software as comprehensive: “After an initial rest period of two weeks after installation, the software receives commands, so-called jobs. This includes running other programs, transferring files, restarting the computer and switching off services such as virus scanners. “
The spies can also use their software to create additional user accounts with administrator rights, with which they can move undetected in company networks. warns Microsoft. “We believe that a nation-state is active here and that the attack is of a significant size and is targeting both private companies and state organizations.”
According to FireEye’s analysis, the attackers managed to break into the computers of the Solarwinds Orion software development team in Austin, Texas, in March. There they managed to infect a pending update of the Orion software – version 2020.2.1 – with their own DLL file called SolarWinds.Orion.Core.BusinessLayer.dll.
The update was then digitally signed by the unsuspecting Solarwinds developers and delivered to customers via the in-house server from May. Thanks to the signature, the software was not blocked by virus scanners and installed on hundreds of thousands of customer computers in ministries, companies, universities and organizations.
But the Russian government denies any involvement. “We have nothing to do with it,” said Kremlin spokesman Dmitry Peskov from the Interfax agency in Moscow. “Even if the Americans could not do anything about it for many months, one should not immediately accuse the Russians of everything for nothing.”
Peskov also recalled the proposal by Russian President Vladimir Putin to work more closely with the US on cybersecurity.
Such an attack on the digital logistics chain of a key service provider like Solarwinds is the dream of every hacker team: the victims themselves install the spy software on their computers, unchecked and without suspicion.
Several US departments were affected by the attack
The consequences of the attack can be extremely extensive: the alleged perpetrators, a Russian hacker group that security researchers have dubbed the alias APT29 Cozybear, were able to access computer content wherever the Orion software was installed thanks to their access.
It is conceivable that they could read complete e-mail histories, that they could copy files and spy on the structure of computer networks and organizations. The US government has already had to admit that several departments have been affected by the attack, including the justice and trade departments.
Which companies and organizations in Germany and Europe are specifically affected could not be determined on Monday. The Federal Office for Information Security said at WELT’s request that government networks were not affected according to initial findings. “The analysis is still ongoing. In addition, the concern of companies based in Germany is currently being examined. “
Given the multitude of potential targets, the Russian hackers are likely to have been overwhelmed with evaluating their fishing trip. On the other hand, since at least May 2020 they have had time to calmly collect data. Large armaments companies, ministries and government organizations in particular must, according to the current status, expect to have been spied on.
The attack by the security company FireEye was noticed last week after it became a victim of the spies. FireEye discovered software espionage and sounded the alarm – on Sunday the company published that the hackers had penetrated the Solarwinds software. Now this hack turns out to be significantly larger than initially assumed.
The German Federal Office for Safety Technology has not yet been able to comment on the effects, as have companies like Siemens, who are also on the Solarwinds customer list.