Alleged China-linked hackers used SolarWinds bug to breach National Finance Center

Alleged China-linked hackers have exploited a flaw in the SolarWinds Orion software to hack systems at the U.S. National Finance Center.

FBI investigators discovered that allegedly China-linked hackers have exploited a flaw in the SolarWinds Orion software to break into the systems of the U.S. National Finance Center.

The National Finance Center is a federal payroll agency in the U.S. Department of Agriculture, that provides human resources and payroll services to hundreds of federal agencies.

The incident has not been linked to the recently disclosed SolarWinds supply chain attack, in the attack against the NFC the threat actors exploited a different vulnerability.

“Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.” reported the Reuters agency.

“The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.”

SolarWinds announced it was aware of a successful attack carried out by the second hacker group, but did not attribute it to a specific threat actor. The software provider pointed out that hackers did not compromise its internal network and confirmed that it had already addressed the flaw exploited in the attack.

“In the case of the sole client it knew about, SolarWinds said the hackers only abused its software once inside the client’s network. SolarWinds did not say how the hackers first got in, except to say it was “in a way that was unrelated to SolarWinds.” continues the Reuters.

The U.S. Department of Agriculture confirmed the security breach and “has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Compromise.”

Later, a different USDA spokesman, denied that the NFC was hacked and added that “there was no data breach related to Solar Winds” at the agency.

According to Reuters’ sources who spoke on condition of anonymity, the threat actors’ tools and C2 infrastructure were employed in past attacks conducted by China-linked threat actors.

The Chinese foreign ministry denied the involvement of Chine in this attack and invited the US authorities to support these allegations with evidence.

“China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.

At the time of this writing, Reuters was not able to determine the type and the volume of information the attackers have stolen from the National Finance Center (NFC). Experts highlighted that the potential impact of this security breach could be severe due to the type of data managed by the US agency.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Intel)

[adrotate banner=”5″]

[adrotate banner=”13″]