Reuters: Chinese hackers suspected of using Sunwind software flaws to spy on U.S. government payroll agencies

Suspected Chinese Hackers broke into U.S. government computer systems last year with the help of a flaw in software produced by SolarWinds Corp, Reuters reported exclusively on Tuesday (Feb. 2), citing five sources familiar with the situation.

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll processing agency within the U.S. Department of Agriculture, was one of the organizations affected, fueling fears that data on thousands of federal employees could be compromised, the report said.

The software flaw that was allegedly exploited by the group of Chinese hackers is different from the Sunwind software flaw that the U.S. accuses Russian government agents of using to compromise data. Russia is accused of hacking Sunwind’s surveillance software, Orion, to compromise the network of up to 18,000 Sunwind customers, including sensitive federal agencies.

Security researchers previously said a second group of hackers was abusing Sunwind software at the same Time as the Russian hackers allegedly broke into Sunwind, but there were no previous reports that the second group was suspected of being linked to China and that the group subsequently broke into U.S. government systems.

Reuters could not confirm how many organizations were hit by the suspected Chinese hackers. Reuters sources, who spoke on condition of anonymity to discuss the ongoing investigation, said the hackers took advantage of computer infrastructure and hacking tools previously used by state-backed Chinese cyber spies.

China’s foreign ministry said holding people accountable for cyberattacks is a “complex technical issue” and that any allegations must be backed by evidence. Reuters quoted a statement from the Chinese Foreign Ministry as saying, “China firmly opposes and combats any form of cyber attacks and theft of secrets.”

Sunwind said it was aware of a second group of hackers who attacked one customer’s data, but “no conclusive evidence” was found to identify who was responsible. The company also said the attackers did not have access to the company’s own internal systems, and that it had released an upgrade in December to fix the software flaw that was being abused.

A spokesman for the U.S. Department of Agriculture acknowledged the data breach, but declined to comment further. The Federal Bureau of Investigation declined to comment.

Reuters said that while the two cyber espionage campaigns overlapped and both targeted the U.S. government, they were separate and apparently distinct operations, according to four people who investigated the two attacks and outside experts who reviewed the code used by the two groups of hackers.