Russia's SVR spy agency made off with information about US counterintelligence investigations in the wake of the SolarWinds hack, according to people familiar with the American government cleanup operation.
The alarming snippet was reported by financial newswire Reuters. The SVR was named and shamed in April by Britain and the US as the organisation that compromised the build systems of SolarWinds' network monitoring software Orion, used by 18,000 customers across the world. Those customers included the UK and US governments, among many, many others.
The attack is said to have led to the Russian foreign intelligence service making off with "information about counterintelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19," according to people involved in the US government's investigation who spoke to Reuters.
It was also reported that the SVR stole software signing certificates so their software could be run on them.
The attackers compromised SolarWinds' build servers, inserting a backdoor into the next version of the software that was distributed through trusted channels as part of a scheduled, routine update. They spent months covering their tracks and lying low to see if they'd been detected; it took even US infosec behemoth FireEye months to realise what had happened on its own networks.
Russia attempted to deny involvement in the compromise of SolarWinds' Orion network management 'n' monitoring product, though there was little room for doubt in the emphatic statements issued by the UK and US in April – along with their expulsion of known Russian spies from their territories as a mark of disapproval.
- Autodesk was one of the 18,000 firms breached in SolarWinds attack, firm admits
- SolarWinds urges US judge to toss out crap infosec sueball: We got pwned by actual Russia, give us a break
- Microsoft names Chinese group as source of new attack on SolarWinds
- SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild
Orion's compromise was first noticed by FireEye, which said it detected the Russian intrusion in early December last year.
Investigations revealed that Orion had been used as a foothold into thousands of organisations including the US Treasury and Department of Commerce. The software was also widely used in the British public sector, though official sources speaking off the record insisted that the Orion compromise had minimal effect on the UK.
The idea that Defence Equipment and Support just wasn't of interest to a foreign intelligence agency seems too farfetched to be true.
SolarWinds' chief exec, who took the post three days before the breach became public knowledge, declared that the 18,000 organisations affected by the backdoored software was a "very small number".
The firm is currently trying to stave off a lawsuit from aggrieved shareholders who claim they were misled about SolarWinds' security posture, notwithstanding that they were attacked by a hostile state actor which went to extraordinary lengths to cover its track.
A not-very-subtle campaign to blunt the SVR's ongoing exploitation attempts post-SolarWinds was mounted by Britain's National Cyber Security Centre, which spent a gleeful couple of summer months telling world+dog exactly what the SVR did next after having the SolarWinds breach attributed to it. ®