The latest espionage attack on the U.S. government is not limited to the Treasury and Commerce departments. Looking at the agencies who use the software that was used as a launchpad for the hacks, the breach could go right to the heart of America’s national security apparatus.
Hackers managed to hide malicious code in a software update for a tool called SolarWinds Orion. It’s typically used to make IT simpler with a single panel for administering various parts of a network. Earlier this year, hackers believed to be sponsored by the Russian government managed to inject malware into Orion updates released between March 2020 and June 2020. According to Reuters, which broke the news Sunday, that allowed the snoops a foothold in customer networks and the ability, at the very least, to spy on emails.
According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs, which is heavily involved in the U.S. response to Covid-19, is another Orion fan and the biggest spender on the tool in recent years. In August, it renewed its Orion license in a $2.8 million order. The National Institutes of Health, DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.
Though it’s not clear whether it uses the Orion tool, the DHS’s own Cybersecurity and Infrastructure Security Agency (CISA) is a SolarWinds customer too, buying $45,000-worth of licenses in 2019. The U.S. Cyber Command also spent over $12,000 on SolarWinds tools in the same year.
SolarWinds, a publicly-listed Austin, Texas-based company with a value of over $6 billion, has its own customer list, though it doesn’t break down which products clients use. That list includes more than 425 of the Fortune 500, all major US telecoms providers, the top five U.S. accounting firms, hundreds of global universities, the NSA and the White House.
The immediate impact will be operational. CISA has recommended government civilian agencies stop using SolarWinds Orion. “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA acting director Brandon Wales. “We urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”