As we said earlier , recently it became known about a large-scale attack on the supply chain, which affected SolarWinds and its clients, including the US Treasury Department, the National Information and Telecommunications Administration under the US Department of Commerce, and the information security company FireEye.
As Forbes now reports , since SolarWinds is a major contractor to the US government, the company’s regular customers also include the US Cyber Command, Department of Defense, FBI, Department of Homeland Security and many others. However, according to Reuters , despite Orion’s huge customer base, the attackers seem to have focused their attacks on a small number of important targets, while most ordinary clients were left alone.
SolarWinds representatives have already admitted that the Orion platform, designed for centralized monitoring and control, has been hacked. Typically, Orion is used in large networks to track all IT resources such as servers, workstations, mobile phones and IoT devices.
It is currently confirmed that versions 2019.4-2020.2.1 released between March 2020 and June 2020 have been infected with malware. The developers have already started releasing patches , and also emphasize that other products of the company have not been compromised. Microsoft , FireEye and the US Department of Homeland Security Agency for Cybersecurity and Infrastructure Protection ( DHS CISA ) also released their own indicators of compromise and instructions for working with infected systems .
SolarWinds has now filed papers with the US Securities and Exchange Commission, as required by law in such cases. These documents revealed that of the company’s 300,000 customers, only 33,000 had used Orion, and all of them had already been notified of the incident. At the same time, according to SolarWinds, the infected version of the Orion platform was installed in only 18,000 clients.
Although SolarWinds has not officially disclosed exactly how the hackers managed to infiltrate its network, the documents mentioned above say that the company also learned from Microsoft about the compromise of mail accounts and Office 365 office applications. It is known that SolarWinds is currently investigating the incident and investigates whether cybercriminals could have used this access to steal client information.
Let me remind you that Washington Post sources linked this attack to the Russian-speaking hack group APT29 (aka Cozy Bear and Dukes), which, according to experts, operates under the auspices of the Russian authorities. However, FireEye experts did not report anything about the possible attribution of the attacks; instead, the company assigned the group a neutral codename UNC2452. Moreover, the company believes that this attack was not aimed specifically at the United States, but “among the victims were government, consulting, technology, telecommunications and mining companies in North America, Europe, Asia and the Middle East.”
The Russian Embassy in the United States has already reacted to these accusations , stating that “attacks in the information space contradict the foreign policy principles of our country, its national interests and understanding of how relations between states are built. Russia does not conduct “offensive” operations in a virtual environment. “