On Sunday, IT company SolarWinds
reported that one of its network managing products was compromised in a “highly-sophisticated, targeted and manual supply chain attack by a nation state.” Further reporting from Reuters revealed that hackers believed to be working for Russia have been monitoring communications at the U.S. Treasury and Commerce Departments, two government agencies that use SolarWinds’ Orion suite of network managing software.
Also, the Cybersecurity and Infrastructure Agency (CISA) issued an emergency directive calling on all federal civilian agencies to review their networks for indicators of compromise and shut down all SolarWinds Orion products immediately.
As this story developed, rumors began spreading that Dominion Voting Systems, the voting machine manufacturer assailed by
allegations of election tampering made by President Donald Trump and his allies, uses SolarWinds software and may have been compromised in the same cyberattack that targeted federal agencies.
Those rumors are unproven and Dominion Voting Systems has made a public statement claiming it has never used the compromised SolarWinds Orion Platform.
SolarWinds is a software developer that helps businesses manage their networks, systems, and technology infrastructure. The company also serves government agencies in the executive branch, the military, and intelligence services, according to Reuters.
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” SolarWinds President and CEO Kevin Thompson said in an email statement. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state.”
U.S. government officials reportedly believe Russia is behind the hacking attack, which according to Reuters was so serious that the National Security Council met at the White House to discuss the matter. Publicly, the government has only confirmed that the Treasury and Commerce Departments were breached and has not yet officially blamed Russia.
Sources that spoke to Reuters said Russian hackers infiltrated SolarWinds’ Orion platform and through it were able to monitor internal email traffic at the compromised federal agencies.
The Russian foreign ministry
on social media accused the U.S. media of making unfounded allegations blaming Russia for cyberattacks on U.S. agencies.
Following reports of the compromised systems, CISA issued an
emergency directive ordering federal agencies that use SolarWinds Orion products to immediately disconnect or power down computers with that software installed.
“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed,” CISA advised.
CISA Acting Director Brandon Wales also encouraged businesses in the private sector that use the Orion platform to asses their network security.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” explained Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners — in the public and private sectors — to assess their exposure to this compromise and to secure their networks against any exploitation.”
SolarWinds’ website proudly proclaims that the company services most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States, Reuters reports.
The discovery of the attack on SolarWinds’ Orion products came just days after the
cybersecurity firm FireEye announced it had been the target of a cyberattack. In fact, FireEye stumbled across the compromised SolarWinds while investigating the attack on its own firm.
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.
U.S. officials speaking to Reuters anonymously also indicated that cyberattack may be much bigger than currently known.
“This is a much bigger story than one single agency,” said one of Reuters’ sources. “This is a huge cyber espionage campaign targeting the U.S. government and its interests.”
The Dominion Voting Systems rumors
Shortly after the news of the hacking attack on SolarWinds’ Orion Platform broke, claims that Dominion Voting Systems used SolarWinds products and had not yet powered down those products began circulating on social media.
Ron Watkins, a former administrator on the message board website 8chan, shared a screenshot of a mobile login portal purportedly belonging to Dominion Voting Systems that appears to run on SolarWinds software.
Dominion Voting Systems uses SolarWinds products and it is still not powered down.
— Ron (@CodeMonkeyZ) December 14, 2020
While the screenshot, which shows a still active page, indicates that Dominion did use some SolarWinds product, it was not clear whether Dominion used the Orion product, which was the specific SolarWinds software that was compromised.
Journalist Kim Zetter highlighted a threat on Twitter that explains Dominion does in fact use a SolarWinds product, but it’s a different product from the compromised Orion software.
To everyone who sent me screenshot of Dominion Voting Systems web site saying it's proof Dominion was using SolarWinds softwr and was hacked. Dominion was using an FTP software from SolarWinds, not Orion software that was compromised. Pls don't @ me until you read entire thread https://t.co/mI6AwTkVDD
— Kim Zetter (@KimZetter) December 15, 2020
In a statement
made to the Daily Dot, Dominion said that it has never used the Orion software that hackers maliciously tampered with to gain access to federal agencies.
“Dominion Voting Systems does not now — nor has it ever — used the SolarWinds Orion Platform, which was subject of the DHS emergency directive dated December 12, 2020,” a spokesperson for Dominion said.
TheBlaze reached out to Dominion Voting Systems for additional comment but the company did not respond.