SolarWinds hack affected six EU agencies

Six European Union institutions were hacked part of the SolarWinds supply chain attack, a top EU administration official said this week.

In a response to a question filed by an EU Parliament member in February 2021, European Commissioner for Budget and Administration Johannes Hahn cited the findings of CERT-EU, the Computer Emergency Response Team for EU institutions, which has been investigating the attacks.

Only 14 EU agencies ran SolarWinds; six were hacked

CERT-EU officials said that only 14 EU institutions ran a version of the SolarWinds Orion IT monitoring platform, which was the conduit of SolarWinds supply chain attack.

Hackers operating on behalf of the Russian Foreign Intelligence Service (SVR) breached Texas-based software vendor SolarWinds in the fall of 2019 and added malware to versions of the Orion app that was shipped to customers between March and June 2020.

The poisoned update reached approximately 18,000 SolarWinds customers, but the SVR hackers only escalated intrusions inside the networks of high-value targets.

While CERT-EU did not name the six EU agencies that received the poisoned update, nor did it specifically say if second-stage payloads were discovered, they said that for some institutions, there was "significant impact" and that "some personal data breaches occurred."

However, assessing the full damage may be an impossible task, Hahn said.

CERT-EU officials claimed that they don't have a full picture as EU official bodies are not required to report security incidents to their agency, with reporting taking place on a voluntary basis.

In the cases they received information, CERT-EU said that some agencies sent limited details on the attacks, and, while in other reports, network logs, used to hunt for clues about the hackers' actions, were often not available.

SolarWinds hack also hit a low single-digit number of UK bodies

But Hahn's reply this week also represents the first public admission that EU government bodies were impacted by the 2020 SolarWinds hack after EU officials have dodged questions and public comments for the past four months.

Is it just me or is publicly talking about SolarWinds a tabu topic for European governments? No official discussions on the EU level either. The overall approach seems to be: Don't talk about. Don't politicize it. Let the US deal with it.

— Stefan Soesanto (@iiyonite) December 18, 2020

Days after Hahn's disclosure, the EU joined the US, the UK, Canada, and NATO in formally accusing the Russian SVR of orchestrating the SolarWinds attack as part of a global cyber-espionage campaign.

Besides blaming the hack on Russia, in London, the UK government also disclosed for the first time that the number of public sector organizations targeted in the SolarWinds attack was lower than initially believed and estimated at "a low single digit number."

The UK and EU revelations come to confirm that the US government took the brunt of the SolarWinds attacks, with the number of impacted federal agencies and local governments reaching the tens.

Among the highest-profile victims, the State Department, the Department of Justice, the Department of Energy, the Cybersecurity and Infrastructure Agency, and the Treasury Department were impacted.

Last week, the EU also disclosed a separate security breach of multiple official bodies in an attack still shrouded in mystery.