On Sunday, several media outlets reported that a group of hackers backed by foreign governments had carried out cyber attacks on a department of the U.S. Treasury and Commerce.
As many as 18,000 businesses, government agencies and other entities have downloaded a software update that leaves them vulnerable to hackers, according to the company responsible for updating online software used by federal government agencies.
SolarWinds, an information technology company, said in a new filing that it believed as many as 18,000 customers had installed Orion network updates. Experts say this exposes them to cyber attacks linked to malware called SUNBURST.
Among the affected entities was the U.S. Commerce Department, whose spokesman confirmed the breach.
“There has been extensive media coverage of hacking attacks on US government agencies and other companies, many of which have attributed these attacks to vulnerabilities in Orion products,” Solarwind said in a filing with the Securities and Exchange Commission on Monday. SolarWinds is still investigating whether and to what extent the bug in Orion’s products could have been exploited.”
Solarwind serves more than 300,000 customers worldwide. According to a partial list that has been taken offline, its clients include five branches of the US military, 425 fortune 500 companies, the US President’s office and more.
Also among the companies is DominionVoting Systems, which supplies voting equipment and software to 28 states. Dominion did not respond to requests for comment. A spokesman told the Journal that the company does not use the Orion platform.
The Department of Homeland Security’s Cybersecurity& Infrastructure Agency on Monday ordered all agencies that downloaded the software system update to cut off the Internet connection to the affected device, which it said was the only known way to mitigate the threat.
“Solar wind”, the company said on its website, the system “has undergone a highly complex manual supply chain attack”, and added: “we are told that the attack is likely to be by external countries, intention is a narrow and specific goals, hand control execution, rather than a broad, attacks on the whole system.”
In its filing, Solarwind said that an investigation had found evidence that the bug had been embedded in Orion products and was in updates released between March and June. Its customers have been told to upgrade affected products to new versions or take their internet-connected platforms offline.
According to FireEye, a cyber security company, hackers have trojans on upgraded versions of Orion to spread malware or malicious code.
According to Volexity, a security company that helped to respond to a number of hacking incidents at a US think tank late last year and this year, the attacks are linked.
Volexity said it discovered that hackers had exploited a vulnerability in Microsoft’s Exchange control panel on the think tank network.
Microsoft told users that the hackers behind the attacks were using malicious code in Orion.
Microsoft said: “this leads to an attacker gained a foothold in the network, the attacker can use this foothold for higher authorization, once in the network, an intruder may use by administrative authority before stealing, the global administrator account to access the organization and/or trusted SAML authentication signing certificate. This enables the intruder to forge the SAML authentication signature certificate to impersonate any existing users and accounts of the organization, including those with high-level permissions.”