Connect with us

Hi, what are you looking for?



SolarWinds Shares More Information on Cyberattack Impact, Initial Access Vector

Texas-based IT management company SolarWinds on Friday shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked.

Texas-based IT management company SolarWinds on Friday shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked.

The hackers, which have officially been linked by the United States and others to Russia’s Foreign Intelligence Service (SVR), breached SolarWinds systems in 2019 or possibly even earlier.

They compromised the automated build environment for the company’s Orion monitoring software and in October 2019 they started testing their ability to inject malicious code into Orion builds. However, they only pushed out malicious Orion updates to SolarWinds customers between March and June 2020.

The malicious updates, tracked as SUNBURST, could have been downloaded by up to 18,000 SolarWinds customers, but the actual number of organizations that were affected by the malware was smaller. Moreover, the threat actors only delivered additional malware to a far smaller number of entities that were specifically targeted.

Initial reports said more than 250 organizations were actually breached, but the U.S. government later said that it had identified roughly 100 private sector companies and 9 federal agencies whose systems were targeted by the attackers.

In its blog post on Friday, SolarWinds said it estimated the actual number of customers hacked through the SUNBURST malware to be less than 100.

“This information is consistent with estimates provided by U.S. government entities and other researchers, and consistent with the presumption the attack was highly targeted,” the company said.

Advertisement. Scroll to continue reading.

The blog post, a copy of which has also been submitted to the U.S. Securities and Exchange Commission (SEC), also provides more information on the attacker’s activities while it had access to SolarWinds systems.

The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.

The company has admitted that the threat actor “created and moved” files that it believes contained product source code, but it could not determine the actual content of the files. Additionally, the hackers appear to have accessed files containing some user information related to a customer portal (name, email address, encrypted credentials, billing address, IP), as well as some staff email accounts. In the case of the email accounts, SolarWinds is still working on determining exactly what type of personal information may have been compromised.

As for how the attackers breached its systems in the first place, SolarWinds says three initial access vectors seem the most likely at this point: a zero-day vulnerability in a third-party device or app, a brute-force attack, or social engineering (e.g. targeted phishing).

“While we don’t know precisely when or how the threat actor first gained access to our environment, our investigations have uncovered evidence that the threat actor compromised credentials and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems, including our Microsoft Office 365 environment, for at least nine months prior to initiating the test run in October 2019,” SolarWinds said.

Related: Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.