The number of confirmed victims of the SolarWinds hack is growing. Microsoft has confirmed it was hacked, although its software was not apparently compromised. Reuters had reported that after compromising Microsoft, the hackers had modified its software to distribute malicious files to its clients. Microsoft issued a statement claiming the Reuters article was incorrect and while SolarWinds binaries were found in its environment, they were not found in its production services or customer data. Microsoft said it has now removed the Solarigate/Sunburst backdoor from its environment. Microsoft did however confirm that more than 40 of its customers are known to have been impacted by the hack and have had the backdoor installed, but not via a Microsoft supply chain attack. Around 44% of the companies notified by Microsoft are in the information technology sector and around 18% are government agencies.
While the compromising of SolarWinds Orion allowed the hackers – suspected to be APT29/Cozy Bear – to gain access to the networks of large numbers of SolarWinds clients, that was not the only attack method used in the campaign. Microsoft reports that the 40+ organizations it has notified were “targeted more precisely and compromised through additional and sophisticated measures.” Microsoft President Brad Smith said they attackers were able to pick and choose their targets from a long list of already compromised organizations. CISA has also reported that it has found evidence that SolarWinds is not the only attack vector in this campaign. Other initial access vectors have been identified and are currently being investigated.
The number of organizations and government agencies known to have been compromised is likely to grow substantially over the coming days and weeks. It is also clear that this is not a standard espionage attack, but something far more serious. “It represents an act of recklessness that created a serious technological vulnerability for the United States and the world,” said Smith. “In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.
CISA, the FBI, and ODNI have now confirmed in a joint statement that many government departments were compromised in the SolarWinds attack, with the victims now known to include the Department of Energy (DoE) and its National Nuclear Security Administration (NNSA). The NNSA maintains the U.S. nuclear stockpile, and the Federal Energy Regulatory Commission (FERC), which oversees the entire department, was also compromised.
The DoE reports that in addition to being impacted by the espionage aspect of the campaign, more damage has been done at FERC than other agencies, confirming they have found evidence of “highly malicious activity.” The exact nature of that activity has not been disclosed publicly.
“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” according to a statement released by the Agency.
In addition to the government agencies already named, others also known to have been affected include the US Treasury, US NTIA, US Department of Homeland Security, US Department of Commerce’s National Telecommunications and Information Administration (NTIA), US Department of State, US Department of Health’s National Institutes of Health (NIH), and the Cybersecurity and Infrastructure Agency (CISA). Around 18,000 SolarWinds customers have been affected.
FireEye, which was the first to identify the campaign after itself falling victim, has released IoCs that can be used to identify whether an attack has occurred. FireEye, in collaboration with Microsoft and GoDaddy, has also created a kill switch that can be used to cause the malware to terminate itself.