A group of hackers reportedly compromised certain software tools used by many Fortune 500 companies and a number of federal agencies, according to the US Department of Homeland Security’s (DHS) and cybersecurity firm FireEye’s statements published yesterday.
The software in question is IT monitoring and management tool Orion developed by SolarWinds. Per FireEye’s report, it is used by “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.”
The firm explained that the hacking campaign is currently ongoing and “may have begun as early as spring 2020”—when the attackers injected their malware into SolarWinds’ software updates.
The group reportedly used the so-called “supply chain attack.” Via this method, malicious actors can stealthily inject their trojans into legit software update infrastructures.
FireEye also stated that it had become one of the victims of a “highly evasive attacker” that used SolarWinds’ digital supply chain to “compromise multiple global victims with SUNBURST backdoor.”
In its official statement, SolatWind said that it “has just been made aware” that its systems “experienced a highly sophisticated, manual supply chain attack.” The company also noted that the exploit was reportedly present in several versions of its Orion software released between March and June.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds added.
Per Financial Times’ report, the company also revealed that it is currently cooperating in an investigation alongside FireEye, the FBI, and other law enforcement agencies.
The DHS published an emergency directive on Sunday, urging government agencies to disable all IT infrastructures that involve SolarWinds’ Orion products—at least versions 2019.4 through 2020.2.1 HF1—since they are “currently being exploited by malicious actors” and pose “an unacceptable risk to Federal Civilian Executive Branch.”
The agency added that all affected entities “should expect further communications from CISA and await guidance” as well as block all traffic to external hosts that have any versions of SolarWinds’ Orion software installed.