The FBI has discovered that the National Finance Center (NFC), a U.S. Department of Agriculture (USDA) federal payroll agency, was compromised by exploiting a SolarWinds Orion software flaw, according to a Reuters report.
NFC provides human resources and payroll services to roughly 170 federal agencies and over 650,000 federal employees since 1973.
USDA confirms data breach
The software vulnerability used to break into NFC’s systems is different than the one used by suspected Russian nation-state hackers to compromise the update mechanism of the Orion software to deploy the Sunburst backdoor on SolarWinds customers‘ systems.
Even though both the FBI and the USDA declined to provide further comment, the latter confirmed that it had suffered a data breach.
The USDA did, however, provide a statement saying that it „notified all customers (including individuals and organizations) whose data has been affected.“
The threat actors behind the USDA agency hack are suspected to be part of a Chinese-backed hacking group according to Reuters‘ sources.
Reuters sources believe the attackers to be based out of China as they utilize infrastructure and tools utilized in previous state-backed Chinese cyberattacks.
Hack exploited flaw used to deploy Supernova backdoor
Although the vulnerability was not named, Reuters reporters said that the suspected Chinese hackers used the same security bug that made it possible for threat actors to deploy the Supernova backdoor on systems where vulnerable versions of the Orion platform had been installed.
„This vulnerability in the Orion Platform has been resolved in the latest updates,“ SolarWinds said in an advisory providing information on the Sunburst and Supernova malware.
Organizations that cannot immediately upgrade to these patched versions, can use a script SolarWinds provides in their advisory to temporarily protect their systems against attempts to deploy the malware.
SuperNova was deployed as a DLL file that allowed attackers to remotely send, compile, and execute malicious code on compromised systems.
Compromised US government targets
The list of U.S. government agencies confirmed as having been hit in the SolarWinds supply-chain attack includes:
- U.S. Department of the Treasury
- U.S. National Telecommunications and Information Administration (NTIA)
- U.S. Department of State
- The National Institutes of Health (NIH) (part of the U.S. Department of Health)
- U.S. Department of Homeland Security (DHS)
- U.S. Department of Energy (DOE)
- U.S. National Nuclear Security Administration (NNSA)
Earlier this month, the Administrative Office of the U.S. Courts has also disclosed an ongoing investigation of a potential compromise of the federal courts‘ case management and electronic case files system.
Images: Image by NASA (Public Domain)