About 30% of SolarWinds attack victims were not SolarWinds customers
In January 2021, it became known that the information security company Malwarebytes was the victim of an attack by the same hackers that attacked SolarWinds. At the same time, it was emphasized that Malwarebytes did not use SolarWinds products at all, did not install the version of Orion infected with malware, and the cybercriminals used “another vector of invasion” to gain access to its internal emails.
Now Brandon Wales, acting head of the Department of Homeland Security’s Cybersecurity and Infrastructure Protection Agency (DHS CISA), said that overall, about a third of the companies attacked by these hackers were not directly related to SolarWinds.
“[Hackers] accessed their targets in a variety of ways. These attackers were ingenious … It is absolutely true that this campaign should not be considered as part of the campaign against SolarWinds”, — says Wales.
For example, in many cases, attackers infiltrated their victims’ networks, using password spraying techniques to hack individual email accounts in targeted organizations. Having infiltrated the system, the hackers used many sophisticated attacks aimed at escalating privileges and bypassing authentication in Microsoft cloud services.
For example, another target of these attacks, CrowdStrike, stated that an attacker unsuccessfully tried to read its email using a compromised Microsoft reseller account that the company worked with.
According to The Wall Street Journal, SolarWinds is currently investigating the possibility that it is the problems in Microsoft products that have become the main vector for intruders into the company’s network.
“Although Microsoft said last December that attackers gained access to the company’s corporate network and got to the internal sources, there was no indication that Microsoft systems were being used to attack other companies and organizations”, – told The Wall Street Journal.
Let me remind you that the attack on SolarWinds is attributed to a Russian-speaking hack group that information security experts track under the names StellarParticle (CrowdStrike), UNC2452 (FireEye) and Dark Halo (Volexity).
In December 2020, it became known that unknown attackers attacked SolarWinds and infected its Orion platform with malware. According to official figures, of the 300,000 SolarWinds customers, only 33,000 were using Orion, and the infected version of the platform was installed on approximately 18,000 customers. As a result, the victims included such giants as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department and the National Nuclear Security Administration.