Enterprise IT Company Solar Winds Discloses What Could be the Largest Data Breach in History

Over the weekend Solar Winds, a company that makes management and monitoring software for corporate IT networks (not to be confused with the 1993 computer game of the same name which I loved), disclosed what could be the largest single data breach in history.  Solar Winds’ Orion product, which is a software platform for monitoring computer servers and workstations, had a security vulnerability that has been exploited.

Solar Winds disclosed that the security exploit dates back to March 2020, and is believed to have been included in Solar Winds Orion software updates between March and June of 2020.  This means that every company that updated Orion during that time installed the compromised version of the software.

This is a huge deal because Solar Winds is a very large enterprise level company.  Many outside of the corporate IT sphere likely have not heard of Solar Winds, but the company has about 300,000 customers. This includes most of the Fortune 500, and most departments of the United States Government.  Solar Winds Orion itself has about 30,000 customers, and the company believes as many as 18,000 of those customers installed a version of Orion that was compromised.

Now, not all of those 18,000 compromised installs have actually resulted in data breaches.  Once a compromised version is installed, it does require a bad actor to actually exploit the vulnerability and install the malware that will then harvest the data from the Orion monitoring system.  ZDNet is reporting that IT administrators are finding evidence of the compromised version in their Orion installs, but very few seem to have been actually exploited with the secondary payload, or at least are not disclosing that they have been.

The likely reason for this is that whoever is behind this breach is targeting specific customers.  Companies like Lockheed Martin, PriceWaterhouseCooper use Orion, as does the US Federal Reserve, Department of Defense, and State Department.

This is a massive breach because by its nature, Orion is monitoring software that can be configured to monitor all data and traffic on a corporate IT network.  I have personal experience with Orion and it is a powerful tool that can be configured to monitor network traffic down to the ability to track individual emails.  It is used by the biggest organizations because of how detailed it can be, which means that any bad actor that can get into it also in theory has access to all of that data.

The primary vector of attack seems to be attackers using the Orion vulnerability to gain administrator access to one account, which let the attackers create other administrative accounts that they could then use to take control of the network.

It is being reported that the US Commerce department has confirmed it was breached, with the attackers accessing internal email traffic in the department.  The US National Telecommunications and Information Administration had Office 365 authentication compromised by Orion, giving the attackers the ability to access that platform, which could include data and email. Other entities believed to have been breached are other government departments, technology, telecom, and other large companies across North America, Europe, and the Middle East, though few are currently admitting any breach.

The US Cybersecurity and Infrastructure Agency has provided guidance that any host (the term used for server or computer being monitored by Orion) that communicated to a compromised version of Orion should be considered to be compromised.  This means that tens of thousands of hosts will likely have to be checked all around the world for signs of a data breach.

Mitigations are now in place for the compromised versions of Orion.  Solar Winds has released a new version of the software which closes the vulnerability, and Microsoft and other vendors have released patches and scanning tools to find and close the hole.  It is currently recommended that any organization with a compromised version of Orion currently in operation to literally turn it off until updates and mitigations can be applied.

This is unprecedented, and I do believe will go down as the most significant disclosed data breach ever at this point in history.  Even a data breach of a single US government department would be a huge deal, and there is potential that most of them may have been compromised.  Several large military contractors may also have been compromised, as well as other large companies around the world.

This is going to be a story that unfolds over months or years, and I’m going to be following it very closely.