At the heart of the most widespread cyber attack in recent memory is a two-decade-old software maker called Austin, Texas-based Solar Winds Corp. Despite being known outside of geeky technology circles, its customer list boasts of a branch of the U.S. Army and a quarter of the Fortune 500.
Many of those customers found themselves trapped because suspicious Russian hackers inserted vulnerabilities into a popular Solar Winds software product designed to provide users with a bird’s eye view of the various types of applications that undermine their functionality.
In filing with the U.S. Securities and Exchange Commission on Monday, Solar Winds said it believes its tracking products may have been used to reconcile the servers of 18,000 customers. Those clients include government agencies around the world and some of the world’s largest companies.
The company has filed a lawsuit alleging that “a cyber attacker is aware that it has inserted a vulnerability into its Orion surveillance products, which, if currently implemented, may allow the attacker to compromise the server running Orion products.” “Solar Winds has advised that this incident may be the result of a sophisticated, targeted and manual supply chain attack by a foreign national government.”
Solar Winds fell 17% to 62 19.62 on Monday. The company said it had sent mitigation measures to related customers and would offer an additional “Hotfix” update on December 15.
ABD 29, a hacking group affiliated with the Russian government, is suspected of being behind the violation. Reuters reports that the trade sector has been violated, as have the homeland security and treasury sectors.
The global hacking campaign also included a December 8 cyber attack on cybersecurity firm FireE Inc.
The Russian embassy has denied any involvement in the hack, saying Russia “does not carry out cyber attacks.”
Governments and corporations are now competing to determine how such a security catastrophe came about, and a vague organization founded by two brothers in the 1990s now appears to be at the center of a major Russian intelligence plot.
According to its website, Solar Winds has more than 300,000 customers. Outside the United States, Solar Winds has signed agreements with the UK National Health Service, the European Parliament and NATO, according to its website.
The company, founded by brothers David Yones and Donald Yones in Tulsa two decades ago, has been asked by friends since January to “snatch up a long, specific list of frustrations about managing their infrastructure,” according to an article on the company’s website since January. “They were part of the same perpetual debate we all share in technology. ‘Why can’t someone create a tool called X ?!’ The difference is that they decided to do something about it. “
Solar Winds provides network surveillance requirements for government agencies and private sector companies, marketing itself as “everyone’s information technology” on its center page. Solar Winds describes its webpage to its U.S. government and private sector customers.
Its Orion product is a powerful and important monitoring tool that allows computer system administrators to see the status of a company or organization’s network at a glance. As Orion provides information over the entire network, it also has privileged access to key areas of the network.
“It gives you visibility across our entire network and allows you to respond quickly when a server or router goes down,” said Ben Johnson, chief technology officer at Obsidian Security. “But if you are trying to do global monitoring of systems and traffic, it has very reliable access.”
According to data provided by Gardner Inc., Solar Winds is the world’s largest maker of IT functional software, behind Splunk Inc. and International Business Machines Corporation. Solarwinds’ other major competitors are Cisco Systems Inc. and Microsoft.
According to blog posts by FireE and Microsoft Corp., hackers infiltrated Orion’s update system and introduced code disguised as regular Orion updates. Updates between March and June are likely to have a detrimental effect, the company said. According to FireEye, the hacking tool embedded in the update does not even store the stolen data within the Orion software. As a result, hackers appear to be the proper traffic on a company’s network.
As of mid-Monday, Kareem Hijazi, founder and CEO of Maryland-based cybersecurity firm Privilege Inc., said the malicious update was still available for download on Solarwind’s website. Hijazi said his team compared the available download with security alerts that identify a damaged update, which is a perfect fit.
This seems to contradict the company’s earlier statement that there was no impact on Orion products downloaded after June. When asked about the continued access to the malicious file, Solar Winds denied the request and told the Bloomberg reporter that the SEC had not responded. Following the email exchange, the webpage that previously hosted the malicious software update was removed, Privillion said. It is now written “not found”.
The number of victims is likely to rise as companies and governments link their computer systems to hacker traces.
“The victims include government, consulting, technology, telecommunications and extraction companies in North America, Europe, Asia and the Middle East,” Fire reported. “We expect more victims in other countries and verticals.”
The extent of the damage caused by the hacking campaign is not yet known. Russian hackers often prioritized the most valuable intelligence targets, meaning that not every Solar Winds customer had time to penetrate. “Once you find out, you start pulling everything you can,” Johnson said. “It’s going to be a crazy week.”
© Copyright 2020 Bloomberg News. All rights reserved.