AUSTIN, Texas – Hackers broke into the networks of the Treasury and Commerce departments as part of a monthslong global cyberespionage campaign revealed Sunday, and an Austin-based software provider is in the middle of it.


What You Need To Know

  • Foreign hackers targeted Treasury, Commerce departments

  • Apparent conduit is Austin-based software supplier SolarWinds

  • SolarWinds used by hundreds of thousands of organizations globally 

  • Malware provided hackers remote access to victims' networks 

In response to what may be a large-scale penetration of U.S. government agencies, the Department of Homeland Security’s cybersecurity arm issued an emergency directive calling on all federal civilian agencies to scour their networks for compromises.

The threat apparently came from the same cyberespionage campaign that has afflicted cybersecurity company FireEye, foreign governments and major corporations, and the FBI was investigating.

“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

According to a report from the Associated Press, the apparent conduit for the Treasury and Commerce Department hacks — and the FireEye compromise — is a hugely popular piece of server software called SolarWinds, which is based in Austin, Texas. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.

A message on the SolarWinds website states the following, in part:

“SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform. 

“We are recommending you upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure the security of your environment. The latest version is available in the SolarWinds Customer Portal.”

The malware gave the hackers remote access to victims’ networks, and Alperovitch said SolarWinds grants “God-mode” access to a network, making everything visible.

“We anticipate this will be a very large event when all the information comes to light,” said John Hultquist, director of threat analysis at FireEye. “The actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.”

Cybersecurity experts said last week that they considered Russian state hackers to be the main suspect in the FireEye hack.

On Sunday, Russia’s U.S. embassy described as “unfounded” in a post on its Facebook page the “attempts of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies.”

The Associated Press contributed to this report.