NYT: At least 250 government agencies and companies affected by SolarWinds hack

The New York Times reports that “at least 250 companies and government agencies” were affected by the SolarWinds hack that came to light in December. The newspaper bases that number on conversations it has had with key figures investigating the hack.

The numbers come from Microsoft and Amazon, among others. Early estimates were that only “a few dozen” of networks had penetrated, but that now seems far from the case. The paper also states that it used US servers to coordinate their attacks because the US NSA is officially prohibited from conducting surveillance within its own borders. The emphasis on security in the US presidential election was also used to target other targets.

SolarWinds, the Texas company that supplied the hacked Orion network management software, has a “history of disappointing security updates,” according to the American daily. The company is said to have cut back on security to increase its profit margin. In this context, part of the software development would also have been outsourced to countries in Eastern Europe, where the initial intrusion may have taken place. The paper’s reasoning is that the Russian secret services are more deeply rooted there. It is not certain that the Russian state or a Russian party is behind the hack.

The hack on SolarWinds and its widely used Orion network management software came to light in December when security company FireEye sounded the alarm. The US authorities had not yet figured out the supply chain attack until then. Among the affected companies is Microsoft; the company says some of its source codes have been accessed, but only with read access, and it’s unclear if the code was exported. Cisco, Belkin, VMware and Intel were also affected by the hack.

The Wayback Machine shows who else could count on SolarWinds as a customer: ‘More than 425’ of the 500 most influential companies in America, the ten largest telecom providers in America, the five branches of the American military, the five largest accountancy companies, hundreds of universities and colleges worldwide, NASA and many US government agencies. Being a customer does not mean that an instance is really affected: it must then run a vulnerable version of Orion and that must also be exploited.