SolarWinds Breach ‘Much Worse’ Than Feared

The SolarWinds breach keeps growing in scope and severity. The SolarWinds breach keeps growing in scope and severity. On Dec. 31, Microsoft admitted that the suspected Russian hackers accessed its internal source code. And a New York Times report over the weekend said cybersecurity officials believe the attack hit about 250 United States’ federal agencies and large corporations. Microsoft had already confirmed that it downloaded the SolarWinds Orion software update containing malicious code, which security officials say Russian state-sponsored hackers inserted into the update to gain access to hundreds of organizations’ networks beginning in the spring of 2020. But its earlier blogs didn’t indicate that the attackers accessed Microsoft’s own systems. That changed in a New Year’s Eve blog post in which Microsoft said the hackers did, in fact, gain access to its source code. But the attackers did not compromise Microsoft’s production services or customer data, nor did they use Microsoft’s systems to attack other organizations, according to the company. “We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the blog post said. “The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated.” Meanwhile, a Jan. 2 New York Times article that cites “key players” investigating the SolarWinds breach reports that it is much broader than security officials first thought. Russian hackers, which managed the attack from servers inside the U.S., gained access to as many as 250 networks, it says. Additionally, “early warning” sensors that Cyber Command and the National Security Agency put inside foreign networks to detect attacks in progress failed, and there is no indication that human intelligence alerted the government to the hack, according to the New York Times. “This is looking much, much worse than I first feared,” Sen. Mark Warner, the ranking member of the Senate Intelligence Committee, told the publication. “The size of it keeps expanding. It’s clear the United States government missed it. And if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.” FireEye, in early December, disclosed that a “highly sophisticated threat actor” stole its internal hacking tools in what the cybersecurity vendor believed was a nation-state attack targeting its government customers. About a week later FireEye said the nation-state hackers breached its network by inserting malicious code into a SolarWinds software update that was sent to about 18,000 Orion customers, and SolarWinds issued its own security advisory about the supply chain attack. The New York Times article also reports that SolarWinds was an easy target for the hackers because it “had a history of lackluster security for its products.” A separate Bloomberg report, which cites former SolarWinds employees and external investigators, describes the breach as “inevitable.” The former SolarWinds engineers warned management about potential security risks as far back as 2017 but were ignored. “My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,” Ian Thornton-Trump, now the chief information security officer at threat intelligence firm Cyjax, told Bloomberg.