Michigan Used SolarWinds Orion Software, Says Election-Related Networks Not Connected

December 26, 2020 Updated: December 27, 2020

The state of Michigan was using the software that was attacked through malicious code earlier this year, an official confirmed to The Epoch Times.

The SolarWinds Orion software was compromised through malware, or malicious code, which was able “to transfer files, execute files, profile the system, reboot the machine, and disable system services,” according to cybersecurity firm FireEye, which was among those whose systems were breached.

The state of Michigan did utilize the Orion software, a spokesman for the Michigan Department of Technology, Management, and Budget told The Epoch Times in an email this week.

Caleb Buhs, the spokesman, said it “was not connected with any election-related networks in the Michigan Department of State,” which runs elections.

A spokesperson for that department declined to provide more information.

Buhs said: “At the direction of the Department of Homeland Security, we removed SolarWinds from our network immediately and it has not been put back into service. Michigan has completed a forensic investigation and has determined there was no indication of compromise within our systems.”

Michigan’s use of SolarWinds was first reported by independent reporter Kyle Becker, who noted state documents from recent years that said the Department of Technology, Management, and Budget was using SolarWinds network-management software and tools.

Michigan has been a key focus of the battle by Republicans to contest election results. They point to irregularities in the state, including a change of thousands of votes in Antrim County, resulting in President Donald Trump getting over 4,000 more votes than initially reported. State officials have challenged allegations, saying they’re unfounded.

According to SolarWinds, a Texas-based information technology firm, up to 18,000 customers installed the update of its Orion software that made them vulnerable to being hacked.

The compromises included multiple government networks, including the Departments of Commerce and Treasury.

The Department of Homeland Security’s cybersecurity agency earlier this month ordered agencies that were using the Orion network to quickly disconnect affected devices. In an update, the agency said the “advanced persistent threat” actor behind the attacks, which date back to at least March, “has demonstrated patience, operational security, and complex tradecraft in these intrusions.”

“Removing this threat actor from compromised environments will be highly complex and challenging for organizations,” the agency said.

Some Trump administration officials and members of Congress say Russia is behind the attack, but the president has said China may be the culprit.

In a partial customer list that was taken offline, SolarWinds boasted that all five branches of the U.S. military used its services, along with agencies such as the office of the president and 425 of the Fortune 500 companies.

SolarWinds CEO Kevin Thompson said on Dec. 18 that the company is focused on responding to the breach.

The vulnerability, if present and activated, “could potentially allow an attacker to compromise the server on which Orion products run,” he said.

Correction: A previous version of this article incorrectly described the SolarWinds software product Orion. The Epoch Times regrets the error.

Follow Zachary on Twitter: @zackstieber