Hack of IT Service Provider May Affect Thousands of Private Businesses
On December 13, the software and service provider SolarWinds announced that its Orion software platform had been the target of a sophisticated cyber-attack that may have resulted in malicious code being pushed to as many as 18,000 customers. The SolarWinds software is used by many corporate and not-for-profit entities of all sizes to monitor the health of their IT networks. Although the details of this breach are still unfolding, based on the information currently available, Orion users who updated their software between March and June of this year are potentially affected.
This discovery comes following last week’s announcement by FireEye, a leading cyber security firm, that it had been hacked by what it believed to be a sophisticated state actor. Then, last weekend, it was announced that several federal agencies were hacked, including the United States Departments of Homeland Security (“DHS”), Defense, State, Treasury, and Commerce’s National Telecommunications and Information Administration. FireEye determined that the hack was effected through a backdoor within its SolarWinds software, which is also used by the federal government and many Fortune 500 companies. According to FireEye, after a dormant period, intruders utilized hidden malware which could retrieve and execute commands that include the ability to transfer and execute files, profile the system, reboot the machine, and disable system services. According to Microsoft, given Orion’s position within IT networks, attackers could access “elevated credentials,” including administrative permissions.
It is not yet clear to what extent the attackers targeted private entities. FireEye announced that it has detected activity at multiple entities worldwide, including government, consulting, technology, and telecom entities in North America, Europe, Asia, and the Middle East. However, early investigation results are somewhat positive, suggesting that the hackers may have been discriminating about whom they chose to actually infiltrate. And SolarWinds “believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.” As of Tuesday, it was reported that Microsoft had taken possession of a key domain name used by the intruders to control infected systems, and was working to understand which and how many SolarWinds customers were affected.
DHS’s cyber security agency issued an emergency directive requiring all federal civilian agencies to “disconnect or power down SolarWinds Orion products immediately.” DHS also urged “all our partners—in the public & private sectors—to assess their exposure to this compromise and to secure their networks.” SolarWinds continues to update its Security Advisory, and as of Tuesday, appears to have isolated the vulnerability to a few versions of its software, which it recommends updating immediately.
While the situation remains fluid, if you are a SolarWinds customer, we recommend you consider taking the following steps if you have not already done so:
- Per DHS’s recommendation, disconnect or power down affected SolarWinds Orion products from your network.
- Contact your SolarWinds representative to further understand how this breach might affect your system.
- Work with your IT professionals to analyze stored network traffic for indicators of compromise from the attack. Your IT team can refer to DHS’s guidance for more information and recommended mitigation. SolarWinds’ Security Advisory also provides information, including a list of known affected products.
- Consider retaining external counsel to advise on next steps and legal risk associated with this incident.
We will continue to follow this story and post updates as appropriate.