SolarWinds: under 18,000 customers were compromised between March and June via an update to its Orion software, leading to DHS, Treasury, Commerce Dept. hacks
LONDON/WASHINGTON (Reuters) - U.S. IT company SolarWinds said on Monday that up to 18,000 of its customers had downloaded …
Reuters
Related Coverage
- Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit New York Times
- ‘Massively disruptive’ cyber crisis engulfs multiple agencies Politico · Eric Geller
- U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise Krebs on Security · Brian Krebs
- View article The Verge
- US officials scramble to deal with suspected Russian hack of government agencies CNN
- SolarWinds: Our Office 365 Emails Were Compromised infosecurity-magazine.com · Phil Muncaster
- Suspected Russian Cyberattack Began With a Little-Known but Ubiquitous Software Company Wall Street Journal · Robert McMillan
- SolarWinds Orion: More US government agencies hacked BBC
- Russian hack was ‘classic espionage’ with stealthy, targeted tactics Washington Post
- U.S. Homeland Security, thousands of businesses scramble after suspected Russian hack Reuters
- View article Newser
- The audio revival starts here Protocol · David Pierce
- Hackers Used Obscure Texas IT Vendor to Attack U.S. Agencies Bloomberg · William Turton
- Major Software Used by Homeland Compromised by Malicious Actors InsideBitcoins.com · Jimmy Aki
- SolarWinds Says 18,000 Customers May Have Used Compromised Orion Product SecurityWeek · Eduard Kovacs
- Dark Halo Leverages SolarWinds Compromise to Breach Organizations Volexity
- DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign Washington Post
- Hack of Federal Agencies Shows Cyber Dangers to Supply Chains Wall Street Journal · David Uberti
- SolarWinds Security Advisory SolarWinds
- How Russian hackers infiltrated the US government for months without being spotted MIT Technology Review · Patrick Howell ONeill
- Important steps for customers to protect themselves from recent nation-state cyberattacks Microsoft On the Issues · Tom Burt
- No One Knows How Deep Russia's Hacking Rampage Goes Wired · Lily Hay Newman
- Emergency Directive 21-01 — Mitigate SolarWinds Orion Code Compromise Department of Homeland Security
- SolarWinds attack explained: And why it was so hard to detect CSO · Lucian Constantin
- Customer Guidance on Recent Nation-State Cyber Attacks Microsoft Security Response Center · Msrc
- Global security teams assess impact of suspected Russian cyber attack Reuters
- SEC filings: SolarWinds says 18,000 customers were impacted by recent hack ZDNet · Catalin Cimpanu
- The SolarWinds attack and the limits of cyber hygiene SC Media · Sam Curry
- GCHQ looking into whether Russian hackers stole UK government secrets Telegraph · James Cook
- Up to 18,000 SolarWinds customers installed poisoned update that could allow state-sponsored attack Graham Cluley
- How hackers used obscure IT vendor to attack top US agencies South China Morning Post
- Solar flare: Why the SolarWinds supply chain attack matters Security Boulevard · IronNet
- Nearly 18,000 SolarWinds Customers Installed Backdoored Software The Hacker News · Ravie Lakshmanan
- US government software provider SolarWinds confirms it was hacked SiliconANGLE · Duncan Riley
- Israeli companies at risk after suspected Russian hackers spied on U.S. Treasury emails CTech · Raphael Kahan
- Russian hacking campaign highlights supply chain vulnerabilities NBC News · Kevin Collier
- SolarWinds confirmes 18,000 customers may have been impacted Security Affairs · Pierluigi Paganini
- Hackers breached U.S. government agencies via compromised SolarWinds Orion software Help Net Security · Zeljka Zorz
- The SolarWinds Supply Chain Attack and the Limits of Cyber Hygiene Cybereason · Sam Curry
- “Highly Evasive” Nation-State Attackers Eavesdropped on the US Treasury for Months - Several Victims Across Multiple Verticals Worldwide Wccftech · Rafia Shaikh
- 18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack Dark Reading · Jai Vijayan
- Microsoft issues protection guidance in light of recent nation-state cyberattack on US government OnMSFT.com · Kareem Anderson
- U.K. Government, NATO Join U.S. in Monitoring Risk From Hack Bloomberg
- US treasury and commerce departments targeted in cyber-attack BBC
- ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers Ars Technica · Dan Goodin
- Weird How the White House Hasn't Said Much About Massive Russian Cyberattack Vanity Fair · Eric Lutz
- Suspected Russian hackers spied on U.S. Treasury emails - sources Reuters · Christopher Bing
- Another Massive Russian Hack of US Government Networks Schneier on Security · Bruce Schneier
- SolarWinds' federal footprint is large, and compromise is a ‘nightmare scenario’ for affected agencies FedScoop · Dave Nyczepir
- After Trump Spent Four Years Inviting Russia to Hack the US, Russia Allegedly Did Just That emptywheel
- Unraveling Network Infrastructure Linked to the SolarWinds Hack DomainTools
- US government, thousands of businesses now thought to have been affected by SolarWinds security attack TechRadar · Anthony Spadafora
- What we know about Russia's sprawling hack into federal agencies Axios
- Reported Russian hack of US systems has implications for DoD network security plans C4ISRNET
- Suspected Russian Hack Said to Have Gone Undetected for Months Wall Street Journal
- SolarWinds hack exposes underbelly of supply-chain attacks CyberScoop · Shannon Vavra
- SolarWinds advanced cyberattack: What happened and what to do now Malwarebytes Labs
- Homeland Security Latest Breach Victim Of Russian Hackers: Report CRN · Michael Novinson
- DHS hacked as part of massive cyberattack on federal agencies: report The Hill · Maggie Miller
Discussion
-
@pwnallthethings
@pwnallthethings
on x
My hottest hot take on the SolarWinds hack is that this was a similar intrusion vector as NotPetya, and but for the caution of the hackers, could easily have caused huge global mayhem. And that is a really big indictment of where the defensive industry still is all these years on
-
@robertmlee
Robert M. Lee
on x
Fantastic report by FireEye on the SolarWinds supply chain compromise into organizations around the community including the FireEye intrusion: https://www.fireeye.com/... great insights for defenders to go burn the adversary's efforts to the ground
-
@weldpond
Chris Wysopal
on x
It would be very helpful for anyone delivering enterprise software to understand how SolarWinds update was compromised and what defensive processes to put in place. Then every enterprise customer can ask suppliers if it was being done. With cyber we never seem to close the loop. …
-
@rafaybaloch
Rafay Baloch
on x
Sometimes you really think you have uncovered a sophisticated malware (highly evasive in nature) during a compromise assessment exercise until you meet SUNBURST Backdoor which blows out your previous convictions. https://www.fireeye.com/...
-
@quinnypig
Corey Quinn
on x
I don't know as “under 18,000 customers” is going to be effective framing. https://twitter.com/...
-
@razhael
Raphael Satter
on x
We now know how many customers were pushed the malicious Orion software updates - somewhere south of 18,000. Now the question incident responders are weighing is: ‘How many of those 18,000 backdoors were opened?’ https://www.reuters.com/...
-
@profwoodward
Alan Woodward
on x
Bypassing 2FA by using pre-computed values for a cookie based on stolen OWA secret - now that is “sophisticated”. This description of a trail of hacks including SolarWinds shows just how much someone wanted to penetrate these targets. https://www.volexity.com/...
-
@dnvolz
Dustin Volz
on x
Can confirm DHS has also been hacked in the SolarWinds attack. DHS is not currently acknowledging their breach publicly. With Commerce and Treasury, that's three confirmed agency intrusions. I'm also told national security agencies and defense contractors have been compromised.
-
@alexstamos
Alex Stamos
on x
The fact that you have to scroll down into the corner of the @washingtonpost's homepage to get to @nakashimae and @craigtimberg's reporting on the SVR compromise of a huge swath of the US government makes me think that official DC hasn't grasped what has happened yet. https://twi…
-
@sangernyt
David Sanger
on x
Struck by fact that for 6 weeks now @realDonaldTrump and 100+ Republican members of Congress have been talking about a hack that never happened - of the vote. Total silence on the one that did happen: Russian hackers inside the Fed. govt.'s own agencies. https://www.nytimes.com/.…
-
@zaackhunt
Zack Hunt
on x
Does it count as hacking if Trump just emailed Putin all of the passwords? https://twitter.com/...
-
@dalperovitch
Dmitri Alperovitch
on x
Last time during the big campaign of 2014-2015, SVR had successfully compromised networks of White House, State Department and the Joint Chiefs of Staff. And that was via simple phishing. They didn't have a nifty backdoor in one of the most popular IT mgmt software around... http…
-
@repstephmurphy
Rep. Stephanie Murphy
on x
The hard truth is the only way to deter this sort of outrageous but unsurprising Russian conduct is to impose swift and severe costs on Putin that make him think twice before doing this again. Unless there are consequences, this behavior will only continue. https://twitter.com/..…
-
@nickkristof
Nicholas Kristof
on x
Good grief. The Department of Homeland Security, in charge of preventing cyber attacks on America, was itself hacked in a major Russian cyber-espionage campaign https://www.washingtonpost.com/ ...
-
@goldengateblond
Shauna
on x
it's like failing to punish them for previous hacks wasn't a deterrent at all https://twitter.com/...
-
@iblametom
Thomas Brewster
on x
DOD declining to comment. Will be huge if they're a victim. It's already huge, of course, now that DHS has been named as the third US gov department breached in these attacks. https://twitter.com/...
-
@iblametom
Thomas Brewster
on x
Veterans Affairs, which has been a big spender on the Orion tool in recent months, says: “VA is looking into this issue and has not detected any breaches. “However, we are taking SolarWinds offline out of an abundance of caution.” https://twitter.com/...
-
@iblametom
Thomas Brewster
on x
Update 2: It's not just @CISAgov - US Cyber Command @US_CYBERCOM bought some SolarWinds licenses in 2019 too. https://twitter.com/...
-
@pattyarquette
Patricia Arquette
on x
@LindseyGrahamSC @marcorubio @senatemajldr @MarkMeadows And y'all aren't going to do zip. https://twitter.com/...
-
@b52malmet
Barbara Malmet
on x
Russia has the best hackers. Our Department of Homeland Security is not so secure. https://www.reuters.com/...
-
@campuscodi
Catalin Cimpanu
on x
SolarWinds, the new Blackbaud https://twitter.com/...
-
@ericgeller
Eric Geller
on x
As news breaks about DHS falling victim to this hacking campaign, a U.S. official tells me that there's “massive frustration with CISA on a sluggish response to agency breaches.” According to this official, “incident response teams” meant to assist victim agencies “are delayed.” …
-
@dalperovitch
Dmitri Alperovitch
on x
DHS reportedly compromised by #SolarWinds supply chain hack. Likely one of many victims we are going to hear about in the coming days and weeks https://twitter.com/...
-
@campuscodi
Catalin Cimpanu
on x
Some nice background digging into SolarWinds' US government contracts from Forbes. Customers include CISA, CyberCommand, DOD, FBI, DHS, Veterans Affairs, and many more. No wonder the White House held a National Security Council meeting on Saturday https://twitter.com/...
-
@iblametom
Thomas Brewster
on x
Biggest recent contract renewal was from Veterans Affairs in August for $2.8 million. VA is deeply involved in the Covid-19 US response fwiw. https://twitter.com/...
-
@iblametom
Thomas Brewster
on x
If you don't know much about SolarWinds, it's huge. $6bn+ valuation, customers in almost every vertical imaginable. Just a week ago, it announced the appointment of a new CEO: https://investors.solarwinds.com/ ... https://twitter.com/...
-
@jgamblin
Jerry Gamblin
on x
Microsoft says that their earliest IOC for the Solarwind breach is March 2020. https://twitter.com/...
-
@razhael
Raphael Satter
on x
Just got this from @solarwinds: https://www.reuters.com/... https://twitter.com/...
-
@kaitlancollins
Kaitlan Collins
on x
For NSA Director Gen. Nakasone, the attack ranks among the biggest crises of his time in office...He'll have to answer why private industry, rather than the multibillion-dollar enterprise he runs from a war room in Fort Meade, was first to raise the alarm. https://www.nytimes.com…
-
@kylehanslovan
Kyle Hanslovan
on x
The full compromised package is still being hosted online as well 😓 hxxps://downloads.solarwinds[.]com/ solarwinds/CatalogResources/Core/2019.4 / 2019.4.5220.20574/SolarWinds-Core- v2019.4.5220-Hotfix5.msp https://twitter.com/...
-
@timobrien
Tim O'Brien
on x
This is a massive, dangerous hack that hit governments and corporations alike, worldwide — and it has the Kremlin's fingerprints all over it. https://www.bloomberg.com/...
-
@iblametom
Thomas Brewster
on x
New - A review of contract records shows DOD, FBI, DHS, Veterans Affairs and many other U.S. agencies have purchased SolarWinds Orion, the tool used as a launchpad for the huge government and private industry espionage campaign disclosed this weekend. https://www.forbes.com/...
-
@razhael
Raphael Satter
on x
New from @jc_stubbs & team: The scope of the SolarWinds breach is potentially enormous, but cyber investigators across the industry say signs suggest the hackers honed in on relatively few targets: “They are using this like a scalpel,” one told me. https://www.reuters.com/...
-
@matthew_d_green
Matthew Green
on x
If the US government handed you $50m/yr and Presidential authority to address supply chain attacks on US systems, what would you do?
-
@dnvolz
Dustin Volz
on x
RUMOR CONTROL: “Dominion Voting Systems does not now nor has it ever used the SolarWinds Orion Platform, which was subject of the DHS emergency directive dated December 13, 2020,” a Dominion spokeswoman says. via @AlexaCorse cc: @CISAgov @CISAKrebs
-
@pamkeithfl
Pam Keith
on x
THIS is what happens when you allow a likely Russian asset to be president. My worry is about Russia getting Intel & clandestine asset info. I am also more than a little irritated that once again Trump has said NOT ONE WORD about Russia attacking us. The man is a menace. https://…
-
@brbarrett
Brian Barrett
on x
It's going to be a while before we know the full extent of how bad this Russia hack really is https://www.wired.com/...
-
@b52malmet
Barbara Malmet
on x
This is totally getting lost in the vaccine/electoral college news. And it is HUGE. https://twitter.com/...
-
@dnvolz
Dustin Volz
on x
Pompeo appeared to confirm Russian involvement in the SolarWinds hack in radio intvw. “I can't say much other than it's been a consistent effort of the Russians to try and get into American servers, not only those of government agencies but of businesses” https://www.wsj.com/...
-
@brianbeutler
Brian Beutler
on x
Am I correct that Trump has said zero words about this? https://twitter.com/...
-
@dlippman
Daniel Lippman
on x
The hack's extended duration raises a huge red flag about the attacks' impact on the government, Sue Gordon, a former top deputy in ODNI, told me. “It is massively disruptive once you have long-term penetration by a nation-state,” she said. https://www.politico.com/...
-
@mzbat
@mzbat
on x
2021 will be the year of large scale infra attacks. This week, we're getting a preview. “The attackers in question have been especially discrete in using network infrastructure... and using a variety of cloud hosting services for network infrastructure.” https://www.wired.com/...
-
@naveedajamali
Naveed Jamali
on x
Russia didn't just gain access to email, they compromised networks through an update to a network monitoring tool. Agencies include the FBI, all branches of the military, and many others. This is one of the largest most recent cyber espionage operations. https://www.bloomberg.com…
-
@malwarejake
Jake Williams
on x
Okay folks, let's talk about SolarWinds. For those not familiar with it, SolarWinds is a network management system (NMS). It's probably the most ubiquitous NMS out there, so we shouldn't jump to conclusions that FireEye and Treasury were both breached by an SolarWinds vuln. 1/
-
@nicoleperlroth
Nicole Perlroth
on x
“Power Down.” If you are just joining, USG federal agencies and untold number of SolarWind clients have been compromised via a malicious SolarWinds software update for as long as six months and CISA, the decapitated cyber agency, is telling SolarWinds clients to power it down. ht…
-
@briankrebs
@briankrebs
on x
Researchers at @oscontext say the first traffic they saw to the malware controllers in the SolarWinds infrastructure was on 4/4/2020. Fireeye said the malware was config'd to sleep for 2 weeks post-install. Suggests first targets were hit sometime in March https://www.fireeye.com…
-
@cisagov
@cisagov
on x
Last night we issued an emergency directive to mitigate the compromise involving SolarWinds Orion products: https://cisa.gov/.... We urge all our partners—in the public & private sectors—to assess their exposure to this compromise and to secure their networks.
-
@dnvolz
Dustin Volz
on x
One person familiar with the SolarWinds hack said the Russian campaign was a “10” on a scale of one to 10, in terms of its likely severity and national security implications. https://www.wsj.com/...
-
@alexstamos
Alex Stamos
on x
There have been attempts by Google, BITS and others to better coordinate vendor risk management but none have really taken off. We need a deeper focus on security program maturity and transparency up and down the stack.
-
@alexstamos
Alex Stamos
on x
3. The investment our government puts into offense and intelligence gathering versus defense is spectacularly off. @C_C_Krebs built a great org with CISA, but they have something like 2,000 employees for the entire critical infrastructure and cyber mission. NSA has over 40k.
-
@alexstamos
Alex Stamos
on x
If we had a liability carrot-and-stick approach, where these reviews were conducted by professional staff, penalties were applied by a competent regulator, and we had 400 public pages to read on the root causes in six months, other companies could learn and improve.
-
@alexstamos
Alex Stamos
on x
I hope the timing of this reveal means that the Biden administration and Congress will really think about investing in defense and motivating companies to be responsible in 2021. I also hope we see some defensive operators in key administration cyber roles.
-
@alexstamos
Alex Stamos
on x
As a result, there are dozens of companies that represent critical, systemic risk across the public and private sector and most of the “security community” has interacted with none of them. The outside pressure that has pushed consumer IT to improve does not exist for most of IT.
-
@briankrebs
@briankrebs
on x
Hacks at US Treasury, Commerce Dept. tied to supply chain attack on network monitoring tools from SolarWinds. CISA is telling agencies to unplug affected SolarWinds products. Given breadth of SW customer base, this is likely to be 1st of many disclosures https://krebsonsecurity.c…
-
@ericgeller
Eric Geller
on x
🚨 CISA has issued an emergency order requiring federal agencies to disable SolarWinds IT products, which hackers exploited to penetrate Treasury, NTIA, and possibly other agencies. https://cyber.dhs.gov/... Disconnection “is the only known mitigation measure currently available.”
-
@kennwhite
Kenn White
on x
Considerable engineering went in to evading detection, including steganography: “HTTP response bodies attempt to appear like benign XML related to .NET assemblies, but command data...is spread across multiple strings that are disguised as GUID and HEX strings” https://twitter.com…
-
@campuscodi
Catalin Cimpanu
on x
tl;dr: The SolarWinds hack is more like the Avast CCleanear breach, not the M.E.Doc/NotPetya incident. Only certain high-value targets were hit. If you run a pet store chain and use SolarWinds, you and your dog food inventory are most likely fine. https://twitter.com/...
-
@dalperovitch
Dmitri Alperovitch
on x
BUT here is the good news - no adversary has enough human resources to effectively exploit every potential victim. They pretty much HAVE to focus on those they care most about. But no doubt this is squarely in the #goodproblemtohave department for them. Very impressive op 2/2
-
@hackingdave
Dave Kennedy
on x
Also for those giving @FireEye hell last week and poking fun and jest at their data breach because they were a security company, do you think your threat model would have protected against this? Some folks owe some apologies.
-
@a_greenberg
Andy Greenberg
on x
Some here pointing to the SolarWinds hack as the other Sandworm/NotPetya shoe dropping. Still early, but this looks like targeted spying as you'd expect from APT29/SVR, not Sandworm/GRU-style disruption. Not yet sure it's less serious, just very different. https://www.reuters.com…
-
@a_greenberg
Andy Greenberg
on x
Just imagine, however, if this operation had been Sandworm rather than APT29, and had been focused on disruption instead of espionage: It had the keys to the kingdom across hundreds of US networks through most of this incredibly fraught pandemic/remote work/election year.
-
@ericgeller
Eric Geller
on x
Microsoft has published a report on the hacking campaign that has breached several federal agencies. It confirms that the intruders used SolarWinds product vulnerabilities for initial access and then forged authentication tokens to spread further. https://msrc-blog.microsoft.com/…
-
@c_c_krebs
Chris Krebs
on x
There it is - @CISAgov issues Emergency Directive 21-10, directing Fed civilian agencies to take action on SolarWinds compromise. Still digesting, but this is a strong move. Proud of the team. Everyone else should refer to this as they chart next steps. https://cyber.dhs.gov/...
-
@fireeye
@fireeye
on x
For more information about the global software supply chain threat we identified, please read our blog post. https://www.fireeye.com/...
-
@gossithedog
Kevin Beaumont
on x
Since earlier in year there has been a serious supply chain attack impacting a very popular enterprise management tool, and multivendor SAML (authentication) attacks allowing for maintained access and data exfiltration. IOCs, Azure Sentinel queries etc: https://msrc-blog.microsof…
-
@kennwhite
Kenn White
on x
Just released by FireEye, confirming signed updates from SolarWinds enterprise monitoring software were backdoored. This is the real deal folks. https://www.fireeye.com/... https://twitter.com/...
-
@nakashimae
Ellen Nakashima
on x
UPDATE: Sources tell me that the victims—Treasury, Commerce, FireEye—were breached through an IT Management System called Solar Winds https://www.washingtonpost.com/ ...
-
@bing_chris
Chris Bing
on x
Common refrain from sources: today's news about USG hacks (Commerce + Treasury) and the larger supply chain compromise at Solar Winds, an IT provider for the USG, is “just the tip of the iceberg” This breach is much worse than it appears atm. And it appears very bad already
-
@dnvolz
Dustin Volz
on x
Sen. Angus King says hack is especially bad as it emerges during haphazard presidential transition. Putin “can hire about 8,000 hackers for the price of one jet fighter,” King said. “We just learned the damage those hackers can do, if it is indeed Russia.” https://www.wsj.com/...
-
@c_c_krebs
Chris Krebs
on x
If you're a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you're not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this. https://twitter.com/... https:…
-
@neusummits
Elizabeth Neumann
on x
Relieved that next month we can finally have the head of our government do what cybersecurity professionals have been calling for for years. Attribution and Consequences. https://twitter.com/...
-
@dnvolz
Dustin Volz
on x
SOLARWINDS in statement said it is aware of a potential vulnerability related to updates of its Orion technology management software that were released between March and June of this year.