Up to 18,000 businesses, government agencies, and other entities downloaded the software update that made them vulnerable to being hacked, according to the company behind the update.
SolarWinds, an information technology firm, said in a new filing that the company believes up to 18,000 customers installed updates of its Orion network, which experts say opened them up to an attack that centered around a malware known as SUNBURST.
Among the entities affected were the Department of Commerce, whose spokesman confirmed to The Epoch Times that it was breached.
“There has been significant media coverage of attacks on U.S. governmental agencies and other companies, with many of those reports attributing those attacks to a vulnerability in the Orion products. SolarWinds is still investigating whether, and to what extent, a vulnerability in the Orion products was successfully exploited in any of the reported attacks,” SolarWinds said in a filing to the Securities and Exchange Commission on Monday.
SolarWinds serves over 300,000 customers around the world. According to a partial customer listing that was taken offline, customers include all five branches of the U.S. military, more than 425 of the U.S. Fortune 500, and the Office of the President of the United States.
The companies include Dominion Voting Systems, which provides voting equipment and software to 28 states. Dominion didn’t respond to a request for comment but a spokesperson told the Wall Street Journal that the company doesn’t use the Orion platform.
The Department of Homeland Security’s Cybersecurity & Infrastructure Agency (CISA) on Monday ordered all agencies that had downloaded the updates in question to disconnect the affected devices, saying it was the only known mitigation measure at present.
SolarWinds said on its website that its systems “experienced a highly sophisticated, manual supply chain attack,” adding: “We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
In the filing, SolarWinds said an investigation uncovered evidence that the vulnerability was inserted within Orion products and existed in updates released between March and June.
Customers were told to upgrade affected products to a new version or take the platform offline.
According to the cybersecurity firm FireEye, the hackers trojanized the Orion update to distribute the malware, or malicious code.
According to the network security firm Volexity, the attacks are tied to multiple incidents late last year and during this year at a U.S.-based think tank that the company helped respond to.
Volexity said it found the attackers exploited a vulnerability in the organization’s Microsoft Exchange Control Panel.
Microsoft told users that the actor behind the attacks intruded through malicious code in Orion.
“This results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials,” it said. “Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.”
SAML stands for Security Assertion Markup Language, or a standard for users to log into applications.
Ivan Pentchoukov contributed to this report.