The hack of the IT management company SolarWinds which has targeted several government agencies and private corporations from the United States has done more damage than what officials have first concluded. The cyberattack whose perpetrator was confirmed to be a Russian intelligence agency has affected approximately 250 federal agencies and businesses.
As reported by ZDNet, and us, according to Democratic Senator Dick Durbin, “This is nothing short of a virtual invasion by the Russians into critical accounts of our federal government,” while Republican Senator Mitt Romney called it “an extraordinary invasion of our cyberspace.”
The Russian hackers inserted malicious code into an update of software called Orion which infected no less than 18.000 SolarWinds customers who have installed the update onto their systems. This has presumably made all information available to the Russian intelligence agents, from usernames and passwords to emails and financial records and possibly even the Microsoft source code.
“At Microsoft, we have an inner source approach – the use of open-source software development best practices and an open source-like culture – to making source code viewable within Microsoft,” the Tech Giant said in a statement.
“This means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn’t tied to elevation of risk.”
However, that is not the only bad news. The Cybersecurity and Infrastructure Security Agency (CISA) has updated on 30 December 2020 its official guidance concerning the SolarWinds supply chain attack. The issued emergency directive instructs all US government agencies to update to the new SolarWinds Orion’s 2020.2.1HF2 version by the end of the year or follow CISA’s original guidance from 18 December and immediately disconnect versions 2019.4 through 2020.2.1 HF1 from their network.
“If FireEye had not come forward, I’m not sure we would be fully aware of it to this day,” stated Mark Warner a senior senator from Virginia and a ranking member of the Senate Intelligence Committee, for The New York Times. “The size of it keeps expanding. It’s clear the United States government missed it.” Moreover, he also confirmed that the hack looked “much, much worse” than it was initially expected and that “The size of it keeps expanding.”
Further investigation into the matter has also brought to light more government agencies and companies which have been affected by the breach. Among them, we now count the Department of State, Department of Homeland Security, National Institutes of Health, Department of the Treasury, Department of Commerce, Department of Energy, including the National Nuclear Security Administration, and last but not least the Pentagon.