A supply chain hack of SolarWinds's Orion network monitoring service "genuinely impacted" systems of around 50 organizations, FireEye CEO Kevin Mandia said.
The hack, thought to be by Russian agents, compromised a number of US government agencies. Several high profile tech companies were also victims, although it is not clear how badly each company was compromised.
"This latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firm," Microsoft president Brad Smith said.
"We should all be prepared for stories about additional victims in the public sector and other enterprises and organizations."
The big hack
Microsoft identified 40 affected organizations, most in the US, but also in Canada and Mexico in North America; Belgium, Spain and the United Kingdom in Europe; and Israel and the UAE in the Middle East.
"It’s certain that the number and location of victims will keep growing," Smith said in a blog post, with some 17,000 organizations having installed the malicious update. Soon after the post was published, Microsoft itself was found to have been impacted by the update attack, dubbed Solorigate.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," the company said in a statement. "We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
An investigation by the Wall Street Journal found that Cisco Systems, Intel, Nvidia, VMware, and Belkin were among the two dozen businesses it could prove had installed the malicious updates that let hackers in.
Intel downloaded and installed the updates, but said that it had found no evidence the hackers used the backdoor to access the company’s network. Nvidia gave a similar statement.
Cisco said that it found the software on some employee systems and laboratory systems, but had yet to find any proof of impact.
VMware admitted to limited instances of the software on its systems, but added that an "internal investigation has not revealed any indication of exploitation."
Belkin said it removed the backdoor as soon as it was alerted to it, and had no proof of negative impact.
Several government agencies are thought to have been caught up in the SolarWinds hack, notably with internal email traffic at the Treasury and Commerce departments believed to be monitored. The State Department and Department of Homeland Security were also compromised.
Equally concerning is that the Department of Energy was affected. "The investigation is ongoing and the response to this incident is happening in real time," DOE spokesperson Shaylyn Hynes said.
"At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission-essential national security functions of the Department, including the National Nuclear Security Administration (NNSA)."
The political reaction to the wide-ranging hack has so far been muted at best.
President Trump said that "The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)." Note: In reality, media organizations regularly cover suspected Chinese state-backed hacks, including with 2018's Cloudhopper campaign.
President-elect Joe Biden, however, said that the attack “certainly fits Russia’s long history of reckless disruptive cyber-activities," criticized the President's reaction, and said that "his failure will land on my doorstep."
Biden stopped short of detailing what action he would take to shore up the nation's defenses, and did not say whether he planned retaliatory action.