SolarWinds, the federal contractor at the center of a sweeping suspected Russian hacking campaign, on Monday identified malicious code the company says attackers used to manipulate its software, and remain undetected for months.
The code was designed to inject another piece of custom malicious software into Orion, the SolarWinds software used by numerous Fortune 500 companies and federal agencies, “without arousing the suspicion of our software development and build teams,” Sudhakar Ramakrishna, the new CEO of SolarWinds, wrote in a blog post.
The discovery adds to the public understanding of one of the most complex digital espionage operations in recent memory. The attackers have used not only SolarWinds’ software, but other digital entry points in carrying out the hack, which has affecting major firms including Microsoft and FireEye, as well as multiple federal agencies.
Security firm CrowdStrike, which helped find the new malicious code, said the code monitors software processes “for those involved in compilation of the Orion product and replaces one of the source files” with malware known as Sunburst. That makes an intrusion particularly difficult to detect, and gives spies persistence access to victim networks.
The widespread nature of the hacking campaign has sparked concern in Washington, where lawmakers have announced investigations into the hacking campaign. The head of the U.S. Cybersecurity and Infrastructure Security Agency told CyberScoop he expects more federal agencies to come forward as victims. President-elect Joe Biden, meanwhile, has vowed a strong response to the intrusions, though he hasn’t specified what that will entail.
The new SolarWinds statement also underscores the long-running nature of the compromises. Suspicious activity surfaced on SolarWinds systems as early as September 2019, Ramakrishna said. By the next month, the hackers were testing their ability to modify the Orion software, he said. But it wasn’t until December 2020 that SolarWinds learned of the hack.
While Russia has denied involvement, clues pointing to Moscow continue to mount. Previous media reporting has implicated Cozy Bear, a hacking unit linked with Russia’s SVR foreign intelligence agency, as the culprit. But on Monday, security analysts at Kaspersky published data showing how some of Sunburst’s features overlapped with a backdoor previously used in breaches tied to Turla, another suspected Russian hacking group.