Hacked Software Firm SolarWinds' Clients Include Ford, Microsoft, AT&T

A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies seemingly exploited software from Texas-based software company SolarWinds, with malware pushed via booby-trapped updates.

A probe into the purported "nation state" hack is ongoing, spearheaded by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA), after Reuters reported on Sunday that the U.S. Treasury and Commerce departments were believed to have been impacted, and the culprits had the ability to monitor internal emails.

The IT monitoring software targeted—called Orion—is used by "hundreds of thousands of organizations globally," The Associated Press (AP) reported on Sunday. SolarWinds says on its website its products are currently used by more than 300,000 customers spanning sectors including military, government, business and education.

SolarWinds says it serves more than 425 firms on the Fortune 500, every one of the top-10 U.S. telecommunications companies and all branches of the U.S. military.

According to its website, U.S. clients include the Pentagon, State Department, NASA, NOAA, National Security Agency (NSA), Postal Service, Department of Justice and the Office of the President of the United States. In addition, it lists all of the top five U.S. accounting firms and "hundreds" of universities and colleges across the world.

Here is an additional partial customer listing, per SolarWinds:

SolarWinds partial customer list
A partial list of SolarWinds customers, per the software company's website. SolarWinds

SolarWinds said in a security notice on Sunday it had been informed one of its products, specifically Orion, suffered a "highly sophisticated, manual supply chain attack." It said impacted software builds were released between March 2020 and June 2020.

"We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack," SolarWinds said, urging clients to download a fix.

In a supply chain attack, hackers will hide malware—or malicious code—into downloads of legitimate software updates, effectively trojanizing the upgrade for customers.

The scope of the cyberattack is unknown and it remains unclear how many targets the hackers had successfully compromised before it was discovered.

Three people "familiar with the investigation" told Reuters hackers aligned with Russia appeared to be behind SolarWinds scheme, alluding to state-level espionage.

Multiple sources familiar with the investigation into the monthslong cyber intrusion told Reuters the supply chain attack appeared linked to a breach of the security company FireEye that was made public last week, also suspected of being Russia.
Multiple hacking units tied to Russia were previously said to be responsible for breaches of U.S. government emails during the 2016 presidential election, as part of a widespread and coordinated meddling campaign likely ordered by president Vladimir Putin.

Analysis into the incident published by FireEye on Sunday said the Orion software had been exploited to distribute a type of malware dubbed as Sunburst, noting the "global intrusion campaign" campaign was widespread—and currently ongoing.

It said: "Post-compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected." FireEye did not identify the suspected victims.

Russia's U.S. embassy rejected the hacking allegations in a statement that was posted to its Facebook account on Sunday, calling the news "another unfounded attempt of the U.S. media to blame Russia for hacker attacks on U.S. governmental bodies."

Man Typing stock image
Stock image. A suspected Russia-led cyberattack that reportedly breached several U.S. government agencies was seemingly conducted by abusing software from Texas-based company SolarWinds. iStock