But the malicious hackers were well prepared, casing the place before they attacked.

Edward Gately, Senior News Editor

May 10, 2021

3 Min Read
threat actor

The number of SolarWinds customers targeted and impacted by last year’s massive hack is far less than previously reported.

That’s according to Sudhakar Ramakrishna, SolarWinds’ president and CEO. In a blog, he said his company is close to completing its investigation of the hack.

Early on, SolarWinds reported up to 18,000 customers could have been vulnerable to Sunburst. That’s the malicious code used by the cyberattackers. It now says fewer than 100 SolarWinds customers were hacked through Sunburst.


SolarWinds’ Sudhakar Ramakrishna

“Based on our investigations and conversations with our customers, we believe the number of customers targeted and impacted by the Sunburst malicious code is significantly fewer than the number of potentially vulnerable customers,” Ramakrishna said. “This information is consistent with estimates provided by U.S. government entities and other researchers, and consistent with the presumption the attack was highly targeted.”

New Findings

During its investigation, SolarWinds also discovered the following:

  • The threat actor did not modify its source code repository.

  • The threat actor did a test run of its ability to inject code into Orion software in October 2019. That was months before initiating the actual Sunburst injection into Orion released between March and June 2020.

  • SolarWinds has not identified Sunburst in any of its more than 70 non-Orion platform products and tools, including those of its N-able business.

“While we don’t know precisely when or how the threat actor first gained access to our environment, our investigations have uncovered evidence that the threat actor compromised credentials, and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems, including our Microsoft Office 365 environment, for at least nine months prior to initiating the test run in October 2019,” Ramakrishna said. “Based on our learnings, while unfortunate, it’s not uncommon for threat actors to be in target environments for several months to years. This further reinforces the need for transparency and collaboration, so we can all benefit from one another’s shared experiences and knowledge.”

SolarWinds said the three most likely candidates for initial entry include zero-day vulnerability in a third-party application or device; brute-force, such as a password spray attack; or social engineering, such as a targeted phishing attack.

Information Exfiltration

SolarWinds also believes the malicious hacker took certain information as part of its research and surveillance. This evidence includes the following:

  • The threat actor created and moved files containing source code for both Orion and non-Orion products; however, SolarWinds can’t determine the actual contents of those files.

  • The black hat also created and moved additional files. That includes a file that may have contained data supporting its customer portal application. The information included in SolarWinds’ customer portal databases does not contain highly sensitive personal information; however, it does contain other information such as customer name, email addresses, billing addresses, encrypted portal login credentials and more.

  • The attacker accessed email accounts of certain personnel. Some contained information related to current or former employees and customers.

“Armed with what we’ve learned about this attack, we’re focused on becoming an industry leader in protecting our software development from cyber intrusions,” Ramakrishna said. “We’re working with industry experts to implement enhanced security practices designed to further strengthen and protect our products and environment against these and other types of attacks in the future.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like