The tech community is still reeling from the massive hack of SolarWinds’ Orion platform that resulted in the compromise of several U.S. government networks and reportedly thousands of other SolarWinds customers.
According to public filings, news reports and the company’s own disclosures, here is what we’ve learned since news of the highly sophisticated attack was announced Sunday, when cybersecurity firm FireEye confirmed that some of its tools designed to test customer networks were stolen in connection with the attack.
- According to SolarWinds’ own filing with the U.S. Securities and Exchange Commission, SolarWinds on Dec. 13 notified about 33,000 customers of its Orion product notifying them of the compromise. However, the company believes the actual number of customers that may have had an installation of the Orion products that contained the vulnerability to be around 18,000. That communication included steps to mitigate the vulnerability.
- ZDNet reports that Microsoft’s security team – along with other tech companies – have seized a domain that served as command and control server for malware delivered to those 18,000 customers. The website reported the takedown was an effort to prevent the threat actors from delivering new orders to infected devices.
- In a Tuesday security blog, Microsoft said it is has released detections that alerted customers to the presence of malicious binaries that hackers inserted into the SolarWinds Orion platform. Customers should consider any device with the binary as compromised and should be investigating devices with the alert. Starting Wednesday, Microsoft Defender Antivirus will begin blocking the known malicious binaries in the SolarWinds product to quarantine the binary even if the process is running.
- According to cybersecurity firm Symantec and news organization Reuters, attackers only went after high-profile government targets in the U.S. and elsewhere despite having access to thousands of entities. Targets included the U.S. Department of Homeland Security, U.S Treasury Department, U.S. Commerce Department, the U.S. State Department and the National Institutes of Health.
- According to the New York Times, other government agencies that use the software are the Centers for Disease Control and Prevention, the National Security Agency, Justice Department, agencies in the Pentagon and utility companies.
- Researchers from cybersecurity firm Volexity wrote in a blog that the company has been able to track the attacks to multiple incidents it worked in late 2019 and 2020 at a U.S.-based think tank. The firm uncovered tools, backdoors and malware implants that allowed the attackers to remain undetected for several years, and they used a new technique to bypass multi-factor authentication to access a user’s Outlook account.
- Officials have not yet said publicly said who they think is responsible, but anonymous sources being cited by numerous media outlets are unanimous that hackers backed by the Russian government are responsible.
We’re tracking this story and will update our readers with more information once it becomes available. For now, IT professionals should look for indications of a compromise and take steps to mitigate this massive vulnerability.