Up to 18,000 SolarWinds customers installed poisoned update that could allow state-sponsored attack

US Government departments amongst the victims, as finger of suspicion points at Kremlin-backed hackers.

Graham Cluley
@gcluley

The United States Department of Commerce, Treasury, State Department, National Institutes of Health, Homeland Security, and Pentagon have had their networks compromised in what appears to have been a massive supply-chain attack on American government systems.

At the centre of the attack is enterprise monitoring software company SolarWinds, which has more than 300,000 customers around the world. In a regulatory disclosure issued yesterday, SolarWinds shared limited details of what happened.

According to the company, hackers “inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”

Sign up to our newsletter
Security news, advice, and tips.

The vulnerability was present within the Orion products and existed in updates to the product released between March and June 2020, after the attackers compromised the software build system for Orion.

SolarWinds said that it believed the security breach was likely the result of “a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”

Already many have pointed the finger of blame in the direction of the APT29 hacking group (also known as “the Dukes” or “Cozy Bear”), who have close ties to Russian intelligence, but SolarWinds says it has not confirmed the identity of its attackers.

The breach, which was made public in the wake of the high profile state-sponsored compromise of cybersecurity vendor FireEye, is said to have resulted in some 18,000 customers of SolarWinds downloading malicious versions of Orion that could have been exploited by the hackers to gain backdoor access to networks.

Presently it appears, however, that not all companies who were running the poisoned software did experience a security breach – but high profile victims did include US government organisations.

This inevitably plays into the theory that a state-sponsored attacker is responsible for the attack, perhaps focusing their attention on the highest value targets inside the US government.

The United States Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive urging all federal agencies to check their networks for evidence that they might have been compromised, and disable SolarWinds Orion products immediately.

In a security advisory, SolarWinds has told at-risk customers to upgrade to Orion Platform version 2020.2.1 HF 1 “as soon as possible to ensure the security of your environment.”

Further reading:

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.


Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One comment on “Up to 18,000 SolarWinds customers installed poisoned update that could allow state-sponsored attack”

  1. Have you hear the news, Microsoft is one of those 18,000 customers. I truly wonder whether their Windows Update servers were compromised during the last 6 months…its a scary thought.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.