SolarWinds Hackers Cast a Wide NetActing CISA Director: About 30% of Hacking Victims Didn't Use Orion Software
Up to 30% of the organizations hit as part of the apparent cyberespionage campaign waged by the hackers responsible for the SolarWinds supply chain attack did not use the company’s compromised Orion network monitoring software, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency, tells The Wall Street Journal. These victims were targeted in a variety of other ways, he says.
"We don't see anything that counters CISA's belief around victimology,” says Vikram Thakur, a senior threat analyst with security firm Symantec. “They're likely aware of a much larger set of victims than we are, so I would say their estimate is accurate.”
A Multitude of Methods
Wales told The Wall Street Journal that the cyberespionage operation gained access to targets using a multitude of methods, including password spraying and exploits of vulnerabilities found in cloud software.
"This adversary has been creative. It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign," Wales said. He took over as acting director after former President Donald Trump fired his predecessor, Chris Krebs, in mid-November 2020.
A CISA spokesperson tells Information Security Media Group the agency is not divulging details about the victims because it’s still trying to fully investigate the campaign.
"While the supply chain compromise of SolarWinds first highlighted the significance of this cyber incident, our response has identified the use of multiple additional initial infection vectors,” the spokesperson says. “We have found that significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds.”
Earlier this month, CISA said the agency had evidence of other initial access vectors in addition to the compromised SolarWinds Orion platform.
"Because SolarWinds was the first implicated, it doesn’t necessarily follow that it was the only means to achieving the ultimate goal,” says Mike Hamilton, founder and CISO at CI Security. “Serious espionage agents would have a variety of tools, tactics and procedures that would provide redundancy."
CISA and other U.S. agencies investigating the operation believe that a Russia-linked group was likely responsible for the cyber espionage campaign. Russia has denied any involvement.
The security firm Malwarebytes noted last week that it was among the companies targeted by the hackers that hit SolarWinds - despite not using its compromised Orion software (see: Malwarebytes CEO: Firm Targeted by SolarWinds Hackers).
"While Malwarebytes does not use SolarWinds [hacked software], we, like many other companies, were recently targeted by the same threat actor,” Malwarebytes CEO Marcin Kleczynski notes in a blog. The hackers appear to have exploited a dormant email protection tool within the company's Office 365 system to gain access to a subset of the firm's emails, he writes.
Hamilton, the former vice chair of the Department of Homeland Security's State, Local, Tribal, and Territorial Government Coordinating Council, believes that the cyberespionage operation likely targeted many of its victims, including Malwarebytes, to gain access to their customer lists.
"I note that these companies provide firewalls, network security, email security, endpoint security and malware removal. It’s this list of victims - who fall into the trend of third parties being compromised for eventual access to their customers - to which we should be paying attention," Hamilton says.
SolarWinds: The Backstory
The hackers added a backdoor called "Sunburst" into SolarWinds' Orion network monitoring software perhaps as early as September 2019, according to the company's analysis.
Up to 18,000 customers installed and ran the Trojanized software. The hackers then used Sunburst to target some of those customers. Intelligence experts have suggested that about 300 organizations may have been hit with these more advanced hack attacks, which could have led to data exfiltration, eavesdropping - including email inbox access - and follow-on attacks against business partners (see: Mimecast Confirms SolarWinds Hackers Breached Company).