Solarwinds told SEC that about 18,000 of its customers compromised for 6 months in the hack of its Orion software
Earlier today, we wrote about Solarwinds after the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive calling on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
Now, the security company at the center of the hack, SolarWinds, is speaking out since the CISA issued the emergency directive. On Monday, Solarwinds said fewer than 18,000l of its customers had downloaded a compromised software update which allowed suspected Russian hackers to spy on global businesses and governments unnoticed for almost nine months, according to a report from Reuters.
SolarWinds, which boasts 300,000 customers globally, said in a regulatory disclosure it believed the attack was the work of an “outside nation-state” that inserted malicious code into updates of its Orion network management software issued between March and June this year.
In an SEC filing, the company said:
“SolarWinds has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker. SolarWinds has retained third-party cybersecurity experts to assist in an investigation of these matters, including whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems, and in the development of appropriate mitigation and remediation plans. SolarWinds is cooperating with the Federal Bureau of Investigation, the U.S. intelligence community, and other government agencies in investigations related to this incident.”
“Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products. SolarWinds has taken steps to remediate the compromise of the Orion software build system and is investigating what additional steps, if any, should be taken. SolarWinds is not currently aware that this vulnerability exists in any of its other products,” Solarwind said. The company added:
“SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.”
Solarwinds customers include the majority of the United States’ Fortune 500 companies and some of the most sensitive parts of the U.S. and British governments – such as the White House, defense departments, and both countries’ signals intelligence agencies.