Thousands of businesses and several branches of the US government are now thought to have been affected by the attack on software firm SolarWinds.
The Austin-based company has fallen victim to a massive supply chain attack believed to be the work of state-sponsored hackers.
Along with the US treasury and commerce departments, the Department of Homeland Security is now thought to have been affected by the attack. In a statement to the SEC today, SolarWinds said it had notified 33,000 customers of its recent hack, but that only 18,000 of these used the affected version of its Orion platform.
- We've put together a list of the best endpoint protection software
- Keep your devices virus free with the best malware removal software
- Also check out our roundup of the best ransomware protection
The breach was uncovered by researchers at cybersecurity firm FireEye, which was in the process of investigating a huge cyberattack against its own systems.
According to FireEye, the attackers breached the software provider and then deployed updates for Solarwinds' Orion software that were filled with malware in order to infect the networks of organizations as well as multiple government agencies in the US.
While sources that spoke with the Washington Post credited the Russian-based hacking group APT29 or Cozy Bear with the attack, FireEye instead gave the group the code name of UNC2452 until it could be proven that APT29 really was responsible.
Microsoft also confirmed that SolarWinds had fallen victim to a cyberattack in a series of security alerts privately sent out to its customers on Sunday.
Using updates to deploy malware
In a security advisory sent out late on Sunday, SolarWinds admitted that its Orion software platform was breached in a targeted attack, saying:
“SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
FirEye has named the malware deployed in SolarWinds' Orion updates Sunburst while Microsoft has given it the name Solorigate and added detection rules to its antivirus software. The cybersecurity firm also published a technical report as well as a set of detection rules on GitHub.
SolarWinds plans to release a new update (2020.2.1 HF 2) on Tuesday that “replaces the compromised component and provides several additional security enhancements”.
- We've also highlighted the best antivirus software