SolarWinds says "fewer than 18,000" customers compromised - Security
SolarWinds said fewer than 18,000 of its customers had downloaded a compromised software update which allowed suspected Russian hackers to spy on global businesses and governments unnoticed for almost nine months.
The United States issued an emergency warning, ordering users to disconnect and disable SolarWinds software which it said had been compromised by "malicious actors."
That warning came after Reuters reported suspected Russian hackers had used hijacked SolarWinds software updates to break into multiple American government agencies, including the Treasury and Commerce departments.
Moscow denied having any connection to the attacks.
SolarWinds said in a regulatory disclosure it believed the attack was the work of an "outside nation state" that inserted malicious code into updates of its Orion network management software issued between March and June this year.
"SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000," it said.
The company did not respond to requests for comment about the exact number of compromised customers or the extent of any breaches at those organisations.
It said it was not aware of vulnerabilities in any of its other products and it was now investigating with help from US law enforcement and outside cyber security experts.
SolarWinds boasts 300,000 customers globally, including the majority of the United States' Fortune 500 companies and some of the most sensitive parts of the US and British governments - such as the White House, defence departments and both countries' signals intelligence agencies.
Investigators around the world are now scrambling to find out who was hit.
A British government spokesman said the UK was not currently aware of any impact from the hack but was still investigating.
The US Department of Homeland Security did not immediately respond to a request for comment.
Two people familiar with the investigation into the hack told Reuters that any organisation running a compromised version of the Orion software would have had a "backdoor" installed in their computer systems by the attackers.
"After that, it's just a question of whether the attackers decide to exploit that access further," said one of the sources.
However initial indications suggest that the hackers were discriminating about who they chose to break into, according to two people familiar with the wave of corporate cybersecurity investigations being launched.
"What we see is far fewer than all the possibilities," said one person. "They are using this like a scalpel."
FireEye, a prominent cybersecurity company that was breached in connection with the incident, said in a blog post that other targets included "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East."
"If it is cyber espionage then it one of the most effective cyber espionage campaigns we've seen in quite some time," said John Hultquist, FireEye's director of intelligence analysis.
The Australian Cyber Security Centre (ACSC) urged Australian organisations to follow the advice of FireEye and SolarWinds, or to call it directly for assistance.
SolarWinds has now published a security advisory on the affected Orion version number here.
"The software upgrade has reportedly been signed using a valid SolarWinds code signing certificate and delivered through regular update channels from SolarWinds," the ACSC said.
"FireEye and SolarWinds have published mitigation actions, which initially recommend applying Orion patch 2020.2.1 HF.
"If that is not possible, SolarWinds recommend ensuring Orion servers are isolated by limiting the ports and connections to only what is necessary, and disabling internet access to Orion servers."
Additional reporting by iTnews.