NSA warns defense contractors of potential SolarWinds fallout

Written by

It’s been widely reported that the suspected hacking team behind the massive and rapidly snowballing SolarWinds breach is linked with the Russian government.

But the U.S. has not publicly named any one culprit behind the espionage operation, in which hackers concealed malware in SolarWinds network management tool updates, possibly infecting thousands of organizations across the U.S. federal government and the private sector.

The National Security Agency, the U.S. Department of Defense’s foreign signals intelligence agency, on Thursday warned about an ongoing Russian state-sponsored hacking campaign that could by exacerbated by the SolarWinds breach. 

The NSA issued an alert warning defense contractors and Pentagon IT staff that the SolarWinds Orion compromise could be used in concert with a previously identified Russian state-sponsored hacking effort to access contractors’ data. The NSA did not claim that Russian hackers, who have been exploiting a VMWare flaw to access data, are involved in the SolarWinds compromise.

But they left open the possibility that hackers could use the SolarWinds compromise to then later use VMWare’s flaw to spy on the Pentagon and the U.S. defense industrial base.

“The recent SolarWinds Orion code compromise is one serious example of how on-premises systems can be compromised leading to abuse of federated authentication and malicious cloud access,” the NSA warned, referencing the kinds of abuses the VMWare flaw could enable for hackers.

The NSA declined to comment on whether the agency has observed hackers using the SolarWinds Orion compromise and the VMWare flaw in parallel, or in succession. The NSA also declined to comment on attribution of the SolarWinds breach.

The reported Russian state-sponsored effort exploiting the VMWare flaw, which the NSA warned about earlier this month, takes advantage of a recently announced vulnerability affecting VMware Workspace One Access, Access Connector, Identity Manager and Identity Manager Connector. In at least one case they have successfully accessed protected systems by exploiting the flaw, according to the NSA.

In order to exploit that flaw, hackers must already have access to the management interface of target devices, which suggests the Russian hackers already had password-level access, according to the earlier alert.

VMWare previously issued a patch for the issue.

The SolarWinds breach, the full extent of which has yet to be determined, has raised questions about what the U.S. intelligence community knew about the Russian hacking beforehand, if anything. A private sector security firm, not the federal government, reportedly was the first to raise an alarm about the breach.

Although the NSA warning hints at the agency’s arsenal of knowledge on the Russian actors, it does not necessarily solve the question of whether the intelligence community knew about the SolarWinds breach beforehand. But it’s another signal from the signals intelligence agency that system administrators should pay attention; the VMWare flaw is being actively exploited — and the SolarWinds breach may make it easier for hackers to continue abusing it.

The latest NSA release comes just as lawmakers are raising questions about how hackers in the SolarWinds case were able to sneak past U.S. government counterintelligence and cyber defenses at such a massive scale.

“I’m asking why this stunning cyberattack seemingly went undetected for months [and] then was discovered only by private contractors,” Sen. Richard Blumenthal, D-Conn., tweeted after receiving a classified briefing on the matter. “The American people deserve [and] need answers. I’ll push hard to declassify as much as possible.”

And while the government has not formally attributed the SolarWinds breach to Russia, other clues that it could be Russia have come from lawmakers and the State Department.

Following the SolarWinds briefing, Blumenthal indicated Russia was responsible.

“Today’s classified briefing on Russia’s cyberattack left me deeply alarmed, in fact downright scared,” Blumenthal said Tuesday in a tweet.