SolarWinds Stock Sinks After Massive Government Hack

Shares of Texas-based IT infrastructure provider SolarWinds dropped over 15% Monday morning, after state-sponsored hackers reportedly working for Russia targeted the US Treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA) and other government agencies in a widespread cyberespionage campaign.

According to unnamed sources in the Washington Post, the hack was conducted by ‘Cozy Bear,’ or APT29, a Russian group believed to have breached cybersecurity firm FireEye several days prior – making off with the company’s “Red Team” penetration testing tools.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said US Cybersecurity and Infrastructure Security Agency (CISA) acting director, Brandon Wales. The agency has issued an emergency directive to federal and civilian agencies to review their networks for suspicious activity and to disconnect or power down SolarWinds Orion products immediately, according to TheHackerNews.

SolarWinds’ networking and security products are used by more than 300,000 customers worldwide, including Fortune 500 companies, government agencies, and education institutions.

It also serves several major US telecommunications companies, all five branches of the US Military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

FireEye, which is tracking the ongoing intrusion campaign under the moniker “UNC2452,” said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST.

“This campaign may have begun as early as Spring 2020 and is currently ongoing,” FireEye said in a Sunday analysis. “Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.” –TheHackerNews

“A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate,” said Microsoft, which corroborated the SolarWinds findings in a separate analysis, adding that “The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.”

Read more about the hack here.