SolarWinds hack may have been much wider than first thought

Early warning systems appear to have failed.

REUTERS/Sergio Flores

The scope of the SolarWinds hack keeps growing. The New York Times has conducted interviews indicating that the allegedly Russia-backed campaign was much further-reaching than initially believed. Where the intruders allegedly scouted ‘just’ a few dozen government and corporate networks, it now looks like up to 250 networks fell victim to the hack. The perpetrators took advantage of multiple supply chain layers, according to the report.

There also appear to have been multiple failures in defense. Cyber Command and the NSA reportedly planted early warning systems in foreign networks to detect attacks, but those appear to have failed. The hacking team also appears to have orchestrated the attack from inside the US to take advantage of legal restrictions against domestic spying. There are concerns the focus on ensuring 2020 election security might have drawn efforts away from protecting the software supply chain.

The location of the hacking itself may have played a role as well. Investigators are determining whether or not the hack breached SolarWinds’ offices in eastern European countries like Belarus, the Czech Republic and Poland. Engineers there had wide access to the Orion network software compromised in the hack, and Russia would have more familiarity with the region.

The Times also claims that SolarWinds was slow to address security, taking on security execs in 2017 in response to EU privacy law and reportedly ignoring adviser Ian Thorton-Trump’s calls for “more proactive” internal safeguards. Thorton-Trump left the company in frustration with the unresponsiveness to his concerns.

SolarWinds has declined to comment on questions about its security, instead reiterating that it was the target of a “highly sophisticated, complex and targeted cyberattack.”

The full extent of the damage isn’t certain, although it’s already clear that the culprits accessed Microsoft source code and attacked security firm CrowdStrike (albeit unsuccessfully) on top of federal agencies and other victims. It could be months or more before it’s clear just how the hack took place and, more importantly, what damage was done.