Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Many SolarWinds Customers Failed to Secure Systems Following Hack

Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment.

Many companies still expose SolarWinds Orion to the internet and have failed to take action following the disclosure of the massive SolarWinds breach, according to RiskRecon, a Mastercard company that specializes in risk assessment.

Threat actors believed to be backed by Russia breached Texas-based IT management firm SolarWinds and used that access to deliver a piece of malware named Sunburst to roughly 18,000 customers who had been using the company’s Orion monitoring product. A few hundred victims that presented an interest to the hackers received other payloads that provided deeper access into their environments.

A second, apparently unrelated threat group believed to be operating out of China also targeted SolarWinds, delivering a piece of malware named Supernova. The delivery of Supernova required access to the targeted network and involved exploitation of a zero-day vulnerability in Orion, which SolarWinds patched shortly after its existence came to light.

RiskRecon on Friday said it observed 1,785 organizations exposing Orion to the internet on December 13, 2020, shortly after the breach came to light, and the number dropped to 1,330 by February 1, 2021. However, only 8% of these companies have applied the Orion update (2020.2.4) released by SolarWinds in response to the breach.

Supply Chain Security Summit

Even more concerning is that 4% of the companies that expose Orion still use a version containing the Sunburst code. Moreover, roughly one-third of these organizations still haven’t patched the vulnerability exploited by Supernova.

RiskRecon says the list of organizations running vulnerable Orion instances includes state and local government agencies, universities, hosting providers, and Fortune 500 firms.

Microsoft Believes 1,000 Hackers Involved in SolarWinds Attack

An article published by the New York Times in January said some intelligence officials had concluded that “more than a thousand Russian software engineers” were most likely involved in the attack. Some cybersecurity professionals questioned the claims at the time.

However, Brad Smith, president and legal chief at Microsoft, reiterated the belief over the weekend in an interview on the CBS program 60 Minutes.

“When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000,” Smith said, adding that Microsoft tasked 500 engineers with investigating the attack.

Smith also said the attackers had written roughly 4,000 lines of code that were then delivered to customers of SolarWinds’ Orion product.

“I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen,” Smith said.

Related: Microsoft Says Its Services Not Used as Entry Point by SolarWinds Hackers

Related: CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds

Related: More Cybersecurity Firms Confirm Being Hit by SolarWinds Hack

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.