Reuters was not able to establish how many organisations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. The company added that the attackers did not gain access to its own internal systems and that it had released an update to fix the exploited software bug in December.
A USDA spokesman acknowledged a data breach had occurred but declined further comment. The FBI declined to comment.
Although the two espionage efforts overlap and both targeted the US government, they were separate and distinctly different operations, according to four people who have investigated the attacks and outside experts who reviewed the code used by both sets of hackers.
While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said.
The side-by-side missions show how hackers are focusing on weaknesses in obscure but essential software products that are widely used by major corporations and government agencies.
“Apparently SolarWinds was a high value target for more than one group,” said Jen Miller-Osborn, the deputy director of threat intelligence at Palo Alto Networks’ Unit42.
Former US chief information security officer Gregory Touhill said separate groups of hackers targeting the same software product was not unusual. “It wouldn’t be the first time we’ve seen a nation-state actor surfing in behind someone else, it’s like ‘drafting’ in NASCAR,” he said, where one racing car gets an advantage by closely following another’s lead.
The connection between the second set of attacks on SolarWinds customers and suspected Chinese hackers was only discovered in recent weeks, according to security analysts investigating alongside the US government.
Reuters could not determine what information the attackers were able to steal from the National Finance Center (NFC) or how deep they burrowed into its systems. But the potential impact could be “massive,” former US government officials told Reuters.
The NFC is responsible for handling the payroll of multiple government agencies, including several involved in national security, such as the FBI, State Department, Homeland Security Department and Treasury Department, the former officials said.
Records held by the NFC include federal employee social security numbers, phone numbers and personal email addresses as well as banking information. On its website, the NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.”