Technology

Microsoft identifies second hacking group affecting SolarWinds software

The discovery underscores the extent to which SolarWinds, whose customers include Fortune 500 companies, is a valuable target for hackers.

By Sean Lyngaas

December 21, 2020

(Photo illustration / Scoop News Group)

Microsoft revealed that a second hacking group had deployed malicious code that affects software made by SolarWinds, the federal contractor at the center of a suspected Russian espionage campaign against multiple U.S. government agencies.

“[T]he investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” a Microsoft research team said in a blog post on Friday.

The discovery underscores the extent to which Texas-based SolarWinds, whose software is used throughout Fortune 500 companies, is a valuable target for hackers.

The newly revealed malware, known to researchers as Supernova, differs from the alleged Russian tampering because it does not appear to involve a compromise of the supply chain, Microsoft said. The Supernova code does, however, allow an attacker to send and execute a malicious program on the victim’s device, Microsoft said.

While Russian hackers are suspected in the compromise of the Orion software updates, it is unclear who is responsible for the additional malware discovered by Microsoft. A spokesperson for Microsoft declined to comment.

Researchers from cybersecurity firm Palo Alto Networks described Supernova as using “in-memory execution,” meaning the malicious code is loaded within a computer’s memory rather than on its disk. This suggests the code is designed to evade certain cybersecurity software that covers more external parts of a computer.

U.S. lawmakers have announced investigations into the alleged Russian supply-chain compromise of SolarWinds, and victims are still coming forward.

Treasury Secretary Steven Mnuchin confirmed on Monday that his department had been breached via “third-party software.” Treasury had stayed quiet compared to some other government agencies that acknowledged they had been hit. Mnuchin said on CNBC that the hackers didn’t break in to the department’s classified systems, a subject that drew interest from Capitol Hill.

Moscow has denied involvement in the hacking campaign.

Any investigation into the second hacking group that targeted SolarWinds software will likely be overshadowed by the probe into alleged Russian espionage. But in the meantime, security researchers have a new lead to explore.

Tim Starks contributed reporting.