U.K. Use of Software Linked to Russia-Hack Runs Deep

20 Dec 2020, 12:36 PM IST

(Bloomberg) -- The little-known Texas software company that’s been attacked by suspected Russian hackers has a sprawling reach among U.K. government agencies, potentially putting clients from the National Health Service to police forces at risk.

SolarWinds Corp., which fell victim to hackers who put a “backdoor” in the software giving them access to users’ computer networks, has been deployed by the U.K.’s Ministry of Justice and the intelligence and security organization GCHQ.

Procurement records also show that police forces from Scotland to Cornwall have also used the software. The Home Office, which oversees policing, posted a job opening for a software engineer for the “implementation of a fully resilient platform and architecture SolarWinds Orion monitoring system based upon the upgrade of the existing installation” in 2018.

“We are continuing to investigate this incident and have produced guidance for SolarWinds’ Orion suite customers,” said a spokesperson for the U.K. National Cybersecurity Centre. Representatives for the Home Office and the Ministry of Justice referred requests for comment to the NCSC.

“We have issued a high severity alert to the NHS which explains the action to take to mitigate this threat,” a spokesperson for NHS said in a statement. “We have been working closely with the National Cyber Security Centre to investigate this issue robustly. So far, we have no indication of any malicious activity, but our investigation is ongoing.”

More on SolarWinds:
Russia-Linked SolarWinds Hack Ensnares Widening List of Victims Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed Suspected Russian Hackers Target Frail U.S. Supply Chain Biden Calls Cybersecurity a ‘Top Priority’ After Russian Hack FireEye Discovered SolarWinds Breach While Probing Own Hack

The malicious backdoor was installed by some 18,000 SolarWinds customers, although the actual number that were attacked is expected to be far smaller. In the U.S., the Cybersecurity and Infrastructure Security Agency, known as CISA, warned Thursday that the hackers were sophisticated, patient and well-resourced, representing a “grave risk” to federal, state and local governments as well as critical infrastructure and the private sector.

Still, no one has clarified what the hackers may have infiltrated, or whether any information was taken. The agencies contacted by Bloomberg wouldn’t comment on whether they’d been hacked. Many were unaware there was a potential problem. A spokesperson for University Hospital Birmingham said the group didn’t “upgrade to the version which has the problem.”

A Kremlin official has denied the allegations that it was a Russian-state sponsored attack. Bloomberg News reported that at least three U.S. state governments were hacked. That was followed by reports of other breaches: the city network in Austin, Texas, and the U.S. nuclear weapons agency. Software giant Microsoft Corp. said its systems were also exposed.

U.K. Clients of SolarWinds
Health and Social Care Information Centre Cabinet Office Government Communications Headquarters (GCHQ) Civil Aviation Authority Valuations Office Agency Ministry of Justice Government Communications Centre (HMGCC) Ministry of Defence (MoD) Royal Air Force, Defence Equipment and Support U.K. Hydrographic Office Medicines and Healthcare products Regulatory Agency Leeds City Council Gloucestershire County Council London Borough of Enfield Department for Work and Pensions Source: SolarWinds marketing materials, U.K. government data

U.K. Clients of SolarWinds

Health and Social Care Information Centre
Cabinet Office
Government Communications Headquarters (GCHQ)
Civil Aviation Authority
Valuations Office Agency
Ministry of Justice
Government Communications Centre (HMGCC)
Ministry of Defence (MoD)
Royal Air Force, Defence Equipment and Support
U.K. Hydrographic Office
Medicines and Healthcare products Regulatory Agency
Leeds City Council
Gloucestershire County Council
London Borough of Enfield
Department for Work and Pensions

Source: SolarWinds marketing materials, U.K. government data

The depth and scope of the hack has caught many organizations off guard. State agencies often have thousands of contracts with software companies, and a number contacted by Bloomberg said they had not yet looked into whether they might be at risk.

Much of the initial concern centered around SolarWinds’s Orion software, and a potential vulnerability related to software updates released between March and June 2020. However, on Thursday the CISA said it had evidence that SolarWinds’ Orion software wasn’t the only “access vector” used by the hackers, meaning they could have had other methods of penetrating computer networks.

Outside the U.S. and the U.K., SolarWinds has picked up contracts for the European Parliament, and NATO, according to details on its website.

“Our experts are currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks,” a spokesman from NATO said Friday.