Cybersecurity investigators are scrambling to assess the damage caused by a widespread breach of U.S. federal agencies and private companies. A list of affected organizations includes the Treasury, Commerce, Homeland Security, and State Departments, plus the National Institutes of Health, and parts of the Pentagon, according to the latest news reports.
Yet the blast radius likely extends much farther. In addition to the government, top national labs, and hundreds of universities, many big businesses may have been targeted by the 9-month-long cyberespionage operation. SolarWinds, the little-known software company based in Austin, Texas, that’s at the center of the compromise, estimates that more than half the customers of its pervasive Orion network management products could have been affected: around 18,000 customers.
That’s according to a Securities and Exchange Commission filing SolarWinds put out on Monday, now buried under a flurry of share sales disclosures. (You can view its since-stricken customer list, captured by the Internet Archive, to get an idea of the possible breadth of the cyberattack.)
SolarWinds was patient zero. The company’s systems were hacked, and its IT tools were subverted to deliver Trojan horses all over the map. The situation, a so-called software supply chain attack, recalls the NotPetya malware attack of 2017, when Russian agents unleashed a global cyberattack by subverting the software update mechanism of a popular accounting tool developed by a Ukrainian tech company. (You can read preliminary analyses of the SolarWinds hack by digital forensics firm FireEye and Microsoft.)
Though it’s still early and investigations are ongoing, cybersecurity researchers suspect nation state hackers are to blame, due to the sophistication of the hacking campaign. In particular, they’re pointing fingers at the SVR, Russia’s foreign intelligence service and a successor to the KGB. As usual, the Russian Embassy in Washington, D.C., denied the allegations.
The Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, tasked with coordinating defenses across government and industry, is attempting to get a grip on the situation, issuing alerts and advising people to update their software or unplug systems that use Orion tooling. But the agency is also reeling from recent turnover after President Trump removed its founding director, Chris Krebs, who refused to play along with Trump’s baseless election fraud claims. (To nip misinformation in the bud: Dominion Voting Systems, a central target of Trump’s conspiracy theorizing, says it has never used SolarWinds’ Orion products.)
When President-elect Joe Biden takes office in January (now that his victory is electoral college-official), he is going to inherit not just the COVID-19 scourge, but this unholy mess too.