WASHINGTON (Reuters) – Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.
Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.
The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company’s Orion network monitoring software.
Security researchers have previously said a second group of hackers was abusing SolarWinds’ software at the same time as the alleged Russian hack, but the suspected connection to China and ensuing U.S. government breach have not been previously reported.
Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.
A USDA spokesman said in an email “USDA has notified all customers (including individuals and organizations) whose data has been affected by the SolarWinds Orion Code Compromise.”
In a follow-up statement after the story was published, a different USDA spokesman said the NFC was not hacked and that “there was no data breach related to Solar Winds” at the agency. He did not provide further explanation.
The Chinese foreign ministry said attributing cyberattacks was a “complex technical issue” and any allegations should be supported with evidence. “China resolutely opposes and combats any form of cyberattacks and cyber theft,” it said in a statement.
SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible. The company added that the attackers did not gain access to its own internal systems and that it had released an update to fix the bug in December.
In the case of the sole client it knew about, SolarWinds said the hackers only abused its software once inside the client’s network. SolarWinds did not say how the hackers first got in, except to say it was “in a way that was unrelated to SolarWinds.”
The FBI declined to comment.