SolarWinds Hackers Breached RNC Via Synnex In New Attack: Report

The Republican National Committee uses Synnex as a vendor and was informed by Microsoft that the Fremont, Calif.-based distributor’s system may have been exposed, an RNC spokesman told Bloomberg.

ARTICLE TITLE HERE

The Russian government hackers behind the SolarWinds campaign breached the computer systems of the Republican National Committee through Synnex in a new attack, Bloomberg reported.

The RNC uses Synnex as a vendor and was informed by Microsoft that the Fremont, Calif.-based distributor’s system may have been exposed, RNC spokesman Mike Reed told Bloomberg Saturday. There is no indication, however, that the RNC itself was hacked or that any RNC information was stolen, Reed told Bloomberg. The RNC didn’t immediately respond to CRN requests for comment.

The Russian foreign intelligence service (SVR) is suspected to have attacked the RNC through Synnex, two people familiar with the matter told Bloomberg late Tuesday afternoon. Synnex admitted Tuesday morning that hackers had attempted to use the distributor to gain access to customer applications within the Microsoft cloud environment.

id
unit-1659132512259
type
Sponsored post

[Related: Hackers Attack Microsoft Cloud Customer Apps Via Synnex]

Synnex said bad actors attempted on “a few instances” to access Microsoft cloud customer apps via the distributor, and the company declined to comment to CRN on either how successful those attempts were or the Bloomberg report. The distributor said Tuesday it’s been working with Microsoft as well as a third-party cybersecurity vendor to conduct a thorough review of the attack since it was identified.

“As our review continues, we are unable to provide any specific details,” Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in a statement to Bloomberg. “As with any security issue, a full review of all companies, systems, third-party applications and related IT solutions must be completed before final determinations can be made.”

A Microsoft spokesperson told CRN that the Redmond, Wash.-based software giant can’t talk about the specifics of any particular case without customer permission. “We continue to track malicious activity from nation-state threat actors - as we do routinely - and notify impacted customers through our nation-state notification process,“ Microsoft said in an emailed statement.

The SVR is looking to take advantage of the chaos created by Friday’s REvil ransomware attack against Kaseya and its MSP customers to go after valuable intelligence targets, a source familiar with the matter told Bloomberg. FireEye’s Mandiant incident response division has observed Russian government hackers carrying out breaches in recent days, Mandiant SVP Charles Carmakal told Blomberg.

“No question, the Russian government is absolutely benefitting from security companies and intelligence organizations being so focused on ransomware right now,” Carmakal told Bloomberg. “But the question is, is the Russian government providing tacit approval for ransomware operators or are they providing instructions? I don’t know.”

Synnex’s Urban told CRN Tuesday morning that the distributor has no relationship with Kaseya and doesn’t use any of its systems, including the compromised VSA remote monitoring and management product. “We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers,” Urban said in a statement emailed to CRN. “That is part of the review.”

The U.S. government formally blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. The SVR is also known as APT 29, Cozy Bear and Nobelium.

At the end of June, the SVR breached a Microsoft support agent’s machine and used the account information they obtained to launch highly-targeted attacks against customers, resulting in three cases of compromise. The SVR targeted IT companies in that effort as well as organizations in the government, non-governmental organization (NGO), think tank and financial services spaces, according to Microsoft.

The SVR is an equal opportunity hacker, having in 2015 compromised the Democratic National Committee servers. But the SVR didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, The Washington Post reported in December.

Synnex has a history of providing IT products and services to political candidates and parties. During the 2016 election cycle, the campaign of GOP candidate Ben Carson purchased $1,992 worth of equipment from the distributor, according to filings at the time with the U.S. Federal Elections Commission (FEC).