Suspected Chinese Hackers Possibly Infiltrated Federal Payroll Agency Through SolarWinds Hack

On December 13, 2020, the Cybersecurity and Infrastructure Security Agency (CISA) announced a massive security breach in the SolarWinds Orion software used by multiple federal agencies. While it was first thought that the victims of this attack, which officials suspect was the work of Russian hackers, were only users of SolarWinds, CISA Acting Director Brandon Wales is now saying that over 30% of the victims did not even use SolarWinds. SolarWinds estimated that 18,000 users in both the public and private sectors had downloaded an update with malware that allowed external parties to access their information.

Now, there is concern that Chinese hackers may have been able to gain access to federal data during the time of the SolarWinds hack. By taking advantage of a software vulnerability, Chinese hackers may have been able to access thousands of files and information on federal employees and agencies, according to Reuters.

In an exclusive report by Reuters, two people briefed on the case said that FBI investigators recently found that the National Finance Center (NFC), a federal payroll agency, was also affected in the breach. The FBI declined to comment to Reuters on the topic.

A spokesman for the U.S. Department of Agriculture (USDA) told Reuters, “USDA has notified all customers (including individuals and organizations) whose data has been affected.”  Reuters reported that a different USDA spokesman later “said the NFC was not hacked and that “there was no data breach related to Solar Winds” at the agency. He did not provide further explanation.”

On their website, NFC says it “services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees.” FEDmanager reached out to NFC for comment but did not receive a response.

Former U.S. chief information security officer Gregory Touhill explained to Reuters, “It wouldn’t be the first time we’ve seen a nation-state actor surfing in behind someone else.” It is alleged that these attacks were both directed at the U.S. government, but were not interconnected.

Lawmakers are calling the SolarWinds hack and the resulting data breaches a national security emergency. The second group of hackers, allegedly Chinese, used computer infrastructure and hacking tools used by Chinese cyberspies in the past to gain access to these organizations.

Tom Warrick, a former senior official at the U.S Department of Homeland Security, said of the potential double hack, “Depending on what data were compromised, this could be an extremely serious breach of security. It could allow adversaries to know more about U.S. officials, improving their ability to collect intelligence.”

Members of Congress are looking to the National Security Agency (NSA) for answers because a similar hack occurred with the software company Juniper in 2015, where malicious actors were able to infiltrate computer systems using a malicious code. Lawmakers want to know why the vulnerability was not resolved, and how such a breach was able to occur once again on federal agencies.

FEDmanager will continue to track and update this story as more information becomes available.