US Treasury And Commerce Departments Allegedly Infiltrated By Russia-Backed Hacker Group
Over the weekend, it was announced that a nation-state actor had breached SolarWinds’ Orion service as early as Spring of this year. The Orion platform is an all-in-one solution for IT administration and monitoring, among other utilities. It is used by companies and governments worldwide, and it appears that the U.S government was a target of interest in the attack. According to sources familiar with the situation, the nation-state actors have been monitoring email at the U.S Treasury and Commerce departments, but they may not be the only agency to be breached.
The SolarWinds Orion attack is being dubbed as “Sunburst” by security researchers at FireEye, a cybersecurity firm. They report that “Sunburst” works by a backdoor that was injected into Orion in a dynamic linked library (DLL) file called “SolarWinds.Orion.Core.BusinessLayer.dll.” After up to two weeks of being dormant, the backdoor would communicate over the HTTP protocol to external servers. The malicious traffic would disguise itself as legitimate SolarWinds communications while having the capability to “transfer files, execute files, profile the system, reboot the machine, and disable system services.” Basically, the malware could do whatever it wanted once it was on a network.
Evidently, the U.S Treasury and Commerce departments were using the SolarWinds Orion platform for their large IT needs. It seems that backdoor then allowed the malicious people, thought to be working for Russia, to monitor these departments' emails. It is unknown, however, how many other agencies and organizations were affected by the breach. SolarWinds’ website reports that following groups use the Orion platform among others: