SolarWinds Orion platform played a central role in the nation-state attack that hacked into the systems of at least two major federal agencies and forced thousands of companies to take defensive countermeasures to assess the full impact of the incident and protect sensitive information, according to industry analysts.
Following disclosure of the attack on Sunday via blog post, SolarWinds is in recovery mode.
SolarWinds has contacted about 33,000 Orion customers who were "active maintenance customers" during the months when the vulnerability was inserted into product updates, according to the company. It believes that less than 18,000 customers are impacted by the vulnerability. SolarWinds has made a hotfix available to customers and is making a second hotfix available Tuesday, according to an 8-K filing with the Securities and Exchange Commission.
The attack has raised a number of questions about whether the U.S. was fully prepared to counter an attack that essentially used some of the nation's best cybersecurity tools against the federal government and private industry.
The SolarWinds vulnerability allowed the attacker to compromise the servers the Orion products ran on, according to the filing. The company has retained third-party cybersecurity experts to investigate the attack and is cooperating with the FBI, the U.S. intelligence community and other government agencies.
SolarWinds uses Microsoft Office 365 and was told an attack vector used to compromise its emails may have provided access to other data contained in its office productivity tools, according to the filing. Microsoft on Sunday issued a blogpost with guidance for customers on how to mitigate the attack.
Who was impacted
SolarWinds is still investigating whether — and to what extent — the vulnerability was involved in the widely-reported attacks on U.S. government agencies and other companies, including the U.S. Department of Commerce and Department of Treasury.
Based on the maturity of the attackers and the length of time they have had access to the data, the potential amount and type of data exfiltrated from the government is serious, according to Jeff Pollard, VP and principal analyst at Forrester Research.
"Consider that the Treasury [Department] administered SBA loans during the pandemic for example, and the Internal Revenue Service is also a bureau within the Treasury [Department], which would include tons of PII for U.S. citizens," he said via email. "The scope could be devastating."
Some experts have feared such an attack — particularly after the 2015 Office of Personnel Management breach — and this new incident is an overdue wake up call for the industry, according to Neil Daswani, co-director of Stanford University's Advance Security Program.
"For a long time there's been a concern in the security field that if security products wind up being part of the supply chain that gets hacked, the ramifications could be significant," Daswani said.
In the cyber insurance field, there's been a concern about systemic risk; if a security-related firm is attacked and there are tens of thousands of companies using that product, it could lead to a much larger breach down the road, according to Daswani.
Orion's broad impact
SolarWinds has more than 300,000 customers. However total revenue from its Orion products for the nine months ended Sept. 30 was $343 million, representing 45% of total revenue, according to the filing.
SolarWinds Orion is one of the most widely-used IT monitoring platforms in the world, according to Josh Chessman, senior director of the IT Operations Management group at Gartner.
While the product is used by most of the Fortune 500, Chessman said the product is often used by small- to medium-sized firms. When it is used by a large multinational, they tend to deploy Orion within certain geographic areas or business units.
"SolarWinds' business model is generally focused on the small to medium business — they make it very easy to go to the SolarWinds website, punch in a corporate credit card number, get your license and be up and running," Chessman said. "Large organizations do not tend to buy that way."
Often companies have started small with SolarWinds, but either migrate away or supplement the product with another monitoring product as the need to scale grows, according to Chessman. The company has many competitors, but none with a customer base of a similar size.
In part, SolarWind's large presence in the market is because Orion encompasses a wide variety of monitoring tools, including network and application performance monitoring, network configuration management, web performance monitoring, patch management and other functions.
"SolarWinds is used extensively to manage business systems and devices," Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. "It's designed to make the system administrator's job easier.
The functionality of the Orion platform makes it and other software in the same space the perfect attack vehicle for an actor with bad intentions because it's used by thousands of businesses and government agencies of various sizes, according to Bocek.
The breach shows businesses need to invest in comprehensive machine identity management programs, he said.
"Without this, the systems we use to protect our business are ripe for attack," Bocek said. "The only way to protect ourselves in a perimeter-less world is to ensure that every piece of software that is used — on a device, network or cloud — must have a unique identity."