SolarWinds Attack Affected Less Than 100 Company Clients
Last week, representatives of the Texas-based company SolarWinds, which in 2020 suffered from a massive attack on the supply chain, filed documents with the US Securities and Exchange Commission.
The statement said that based on new information that emerged during the investigation of the attack (in particular, the DNS traffic logs), it became clear that the incident affected not 18,000 clients, as previously thought, but only about 100.
Let me remind you that the SolarWinds hack has become one of the largest attacks on the supply chain in history. In December 2020, it became known that unknown attackers had attacked the company and infected its Orion platform with malware. Of the 300,000 SolarWinds customers, only 33,000 were using Orion, and at the beginning of the year, it was reported that an infected version of the platform was installed on approximately 18,000 customers, according to official figures.
As a result of this incident, giants such as Microsoft, Cisco, FireEye, as well as many US government agencies, including the State Department, the Department of Justice and the National Nuclear Security Administration, were affected.
The American authorities officially blamed Russia for this attack. Joe Biden’s administration claims that the Russian Foreign Intelligence Service and its “government hackers” known as APT 29, Cozy Bear or The Dukes were behind the attack. According to the authorities, they “used the SolarWinds Orion platform and other IT infrastructures as part of a large-scale cyber-espionage campaign.”
“We estimate that the actual number of clients hacked with SUNBURST is less than 100. This information is consistent with estimates provided by US government agencies and other researchers, and is consistent with the assumption that the attack was targeted”, — the company now says, explaining that the attackers were only interested in a few selected targets, including large companies and government organizations.
Investigators did find about 18,000 downloads of the malicious version of Orion, but many of the company’s customers did not install this version. In other cases, an infected update for Orion got into networks isolated from the outside world, where the malware could not connect to the command and control server, and the attack ended before it could start.
Also, recent filings with the Securities and Exchange Commission shed light on how hackers generally infiltrated the SolarWinds network. Investigators are still studying this issue, but the possible penetration options have been reduced to three main versions:
- a zero-day vulnerability in a third-party application or device;
- brute force attack (for example, password spray);
- social engineering, possibly a targeted phishing attack.
So far, the company does not know when and how attackers first gained access to their systems. However, investigating the incident revealed new evidence that attackers compromised internal credentials and roamed the Microsoft Office 365 network and environment at least nine months before the October 2019 “test run”. Then the hackers became convinced that they could inject malicious code into the Orion app, although the actual attack only took place in March 2020.
In addition, more details about the actions of the attackers have emerged.
- Hackers created and moved files containing the source code of Orion and third-party products. The actual content of these files could not be determined.
- Attackers have moved additional files, including a file that may have contained data associated with the Customer Portal application. Although the company was unable to determine the exact content of these files, the information included in the customer portal database does not contain confidential information (credit card data, social security numbers, passport data and bank account numbers), but contains other information, including customer names, email addresses email addresses, billing addresses, encrypted portal login credentials, IP addresses for software downloads, and the MAC addresses of registered Orion servers.
- The attackers gained access to the email accounts of a number of employees. Some of these inboxes contained information regarding current or former SolarWinds employees and customers. While investigators are looking into what kind of personal information was contained in the compromised emails.
- The hackers moved the files to the jump server. Apparently, this was done to facilitate the leakage of files from the company environment.