Earlier in the week, the White House had acknowledged that a Russian state-sponsored group known as the Cozy Bear or APT 29 carried out targeted cyberattack on several U.S. Government agencies. Other than this, the hack is believed to have successfully compromised the networks of many private organizations.
Reports suggest a link between this attack and the mass outage that Google faced yesterday for many of its products, including Gmail and YouTube.
The attack was carried out by means of updates that were provided between March and June 2020, to a widely used IT infrastructure management software provided by SolarWinds, called Orion.
SolarWinds Says Nearly 18,000 Customers Affected
According to the guidelines of regulatory disclosure, SolarWinds filed the Form 8-K with the Securities and Exchange Commission (SEC). In the filing, SolarWinds mentioned that it has a customer base of more than 300,000, however, analysis suggest that only less than 18,000 of them were actually affected by this supply chain attack as they had unknowingly installed the SolarWinds’ Orion backdoored update.
SolarWinds Orion is basically a management tool and thus used by many top organizations including the U.S. federal agencies. In its security advisory, SolarWinds has clearly stated that only Orion software build versions 2019.4 HF 5 and 2020.2 were affected by the vulnerability and no other non-Orion products were impacted.
CISA Issues Code Red
According to the CRN report, after looking at the gravity of the incident and gauging repercussions of this prolonged cyberattack, the U.S. government in its emergency meeting decided to power down all systems with SolarWinds Orion management tools installed on them.
The country’s top cybersecurity governing body, CISA, has also gone ahead and issued only the fifth emergency directive thus far under the authorities granted by Congress in the Cybersecurity Act of 2015, to mitigate the SolarWinds Orion compromise. Taking a stern stance on the situation, CISA Acting Director, Brandon Wales said,
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks. This directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
SolarWinds on the other hand has asked its customers to upgrade their platforms to versions 2019.4 HF 6 and 2020.2.1 HF 1, respectively, at the earliest.
SolarWinds’ Director knew this?
Twitter has been abuzz since the outbreak of this cyberattack news simply because of the number of top SolarWinds’ clientele being affected. Many cybersecurity pundits have criticized SolarWinds and the federal authorities for the haphazard way the entire episode was handled.
I’m saving my “What about SolarWinds?” for the next time the FBI tries to tell me that backdooring end-to-end encryption will be fine because the US government will protect the keys.
— Eva (@evacide) December 15, 2020
However, some reports suggest that the Director of SolarWinds, Aurora Co-Invest L.P. Slp, already sniffed the issue in hand and sold 2,079,823 shares amounting to nearly $45.7 Million. The shares were sold at an average price of $21.97 a week before the public announcement.
Nothing to see here. Nope.
REVEALED: #SolarWinds Director Sold $45.7 MILLION in Stock Options Last Week Before #CISA Announcement Sunday https://t.co/h25V8diLnk via @gatewaypundit
— AwakenedOutlaw⚒️ (@AwakenedOutlaw) December 14, 2020
SolarWinds, as stated earlier, has a huge and diverse clientele. It would be safe to say that the numbers of affected customers and associated breaches can increase in the days to come.
White House Confirms Cyberattack on U.S. Dept of Treasury and Commerce