Another Hacking Group Allegedly Involved in Cyberattack That Affected Federal Government: Microsoft

December 22, 2020 Updated: December 22, 2020

Another hacking group was involved in a cyberattack that targeted SolarWinds software, which was used by a number of federal government agencies, said Microsoft in an update.

An investigation revealed “an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise,” said Microsoft on Dec. 18. The malware was most likely “used by a different threat actor,” it said, suggesting another group may have been involved in the breach.

“This code provides an attacker the ability to send and execute any arbitrary C# program on the victim’s device. Microsoft Defender Antivirus detects this compromised DLL as Trojan:MSIL/Solorigate.G!dha,” said the company.

SolarWinds, a third party vendor, said that its systems were compromised after hackers breached the firm’s Orion updates and distributed malware. The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency said the attack was more significant they previously thought.

“One of the initial access vectors for this activity is a supply chain compromise of the following SolarWinds Orion products. CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” CISA said in a statement on Dec. 17.

And officials expect “that removing this threat actor from compromised environments will be highly complex and challenging for organizations” and noted the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered,” said CISA.

The Office of the Director of National Intelligence, CISA, and other intelligence agencies said the attack is “ongoing,” adding that the “compromise has affected networks within the federal government.”

Chris Krebs, the former director of CISA, told CNN that the attack occurred while he was head of the agency.

“It happened on my watch … but there is work to do now going forward to make sure A: we get past this, that we get the Russians out of the networks, but, B: that it never happens again,” Krebs remarked.

According to a report from the Wall Street Journal, other than the federal government, a number of major corporations had used SolarWinds’ Orion.

Technology giant Cisco Systems Inc., Intel Corp., Nvidia Corp., VMware Inc., Belkin International Inc., Kent State University, and many more used the software, the report found.

“At this time, there is no known impact to Cisco offers or products,” a company spokesman for Cisco told the paper, adding that it found the malware on some employee systems. The other companies confirmed to WSJ that they were aware of the malware.

A Kent State University spokeswoman added that the university “was aware of the situation and are evaluating this serious matter.”