SolarWinds: Sunburst backdoor victim count is less than one hundred

The number of SolarWinds users infected by last year’s supply chain leak is less than a hundred. SolarWinds has nearly completed the Sunburst backdoor investigation and says the number of customers affected is much lower than expected.

SolarWinds says the actual number of victims of the Sunburst malware is “less than a hundred.” The company has investigated Sunburst. That’s the name of a back door found in SolarWinds’ Orion software in December. Then it turned out that hackers had infected an update for the software with malware that established a connection to a command-and-control server. Initially it was said, among others by SolarWinds itself, that 18,000 customers were potentially vulnerable to the vulnerability. This was based on the number of customers who had downloaded the infected update.

Now SolarWinds nuances that number. According to the company, some of the customers who downloaded the update did not install it subsequently. Another part of the customers used the update on servers that did not have access to the internet and therefore could not be provided with the back door.

SolarWinds does not know how many customers have downloaded the infected update. The company says it makes an estimate based on DNS data. Based on this ‘statistical analysis’, the company claims that ‘less than a hundred customers’ have made contact with the C&C server. SolarWinds emphasizes that the US authorities and external researchers also arrived at that number. Among those hundred customers were big names: MalwareBytes and Microsoft, among others, said that the hackers had access to their systems. The hackers have also struck US ministries, government agencies and universities.

The investigation also revealed that the source code of the company’s software was not modified, but that the back door was placed via Orion Platform’s automated build software. The hackers would have already carried out a test in October 2019 to include malware in the update. It was eventually shipped in the Orion update between March and June 2020.