SolarWinds Shares More Information on Cyberattack Impact, Initial Access Vector

Texas-based IT management company SolarWinds on Friday shared more information on the impact of the significant breach disclosed late last year, and claimed that less than 100 of its customers were actually hacked.

The hackers, which have officially been linked by the United States and others to Russia’s Foreign Intelligence Service (SVR), breached SolarWinds systems in 2019 or possibly even earlier.

They compromised the automated build environment for the company’s Orion monitoring software and in October 2019 they started testing their ability to inject malicious code into Orion builds. However, they only pushed out malicious Orion updates to SolarWinds customers between March and June 2020.

The malicious updates, tracked as SUNBURST, could have been downloaded by up to 18,000 SolarWinds customers, but the actual number of organizations that were affected by the malware was smaller. Moreover, the threat actors only delivered additional malware to a far smaller number of entities that were specifically targeted.

Initial reports said more than 250 organizations were actually breached, but the U.S. government later said that it had identified roughly 100 private sector companies and 9 federal agencies whose systems were targeted by the attackers.

In its blog post on Friday, SolarWinds said it estimated the actual number of customers hacked through the SUNBURST malware to be less than 100.

“This information is consistent with estimates provided by U.S. government entities and other researchers, and consistent with the presumption the attack was highly targeted,” the company said.

The blog post, a copy of which has also been submitted to the U.S. Securities and Exchange Commission (SEC), also provides more information on the attacker’s activities while it had access to SolarWinds systems.

The company said the attacker only targeted its build system for the Orion product, but did not actually modify any source code repository, and the SUNBURST malware has not been found in any other product.

The company has admitted that the threat actor “created and moved” files that it believes contained product source code, but it could not determine the actual content of the files. Additionally, the hackers appear to have accessed files containing some user information related to a customer portal (name, email address, encrypted credentials, billing address, IP), as well as some staff email accounts. In the case of the email accounts, SolarWinds is still working on determining exactly what type of personal information may have been compromised.

As for how the attackers breached its systems in the first place, SolarWinds says three initial access vectors seem the most likely at this point: a zero-day vulnerability in a third-party device or app, a brute-force attack, or social engineering (e.g. targeted phishing).

“While we don’t know precisely when or how the threat actor first gained access to our environment, our investigations have uncovered evidence that the threat actor compromised credentials and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems, including our Microsoft Office 365 environment, for at least nine months prior to initiating the test run in October 2019,” SolarWinds said.

Related: Continuous Updates: Everything You Need to Know About the SolarWinds Attack

Related: US-UK Gov Warning: SolarWinds Attackers Add Open-Source PenTest Tool to Arsenal