SolarWinds says fewer than 18,000 customers installed malware-laced Orion software update that led to US Treasury hack

Update to remove malware planned for release today

Software provider SolarWinds stated on Monday that fewer than 18,000 of its customers are thought to have downloaded a compromised software update, which enabled a nation-state hacker group to breach the computer networks of the US Treasury Department and other federal agencies.

In its SEC filing on Monday, SolarWinds said that it believed that an "outside nation state" was behind the cyber campaign, in which hackers breached the company's network and inserted malicious code into the updates of its Orion network management software issued between March and June of this year.

Orion is a software application used by thousands of organisations and businesses for IT inventory management and monitoring.

According to Reuters, SolarWinds claims it has over 300,000 customers worldwide, but only 33,000 of them have been using Orion software. Moreover, the company said that out of 33,000 Orion users, fewer than 18,000 are believed to have installed the malware-laced update.

The software firm said that it has notified all its 33,000 Orion customers, and plans to release an Orion update today to enable customers to remove any traces of the malware from their systems.

"A hotfix release, SolarWinds® Orion® Platform 2020.2.1 HF 2 is anticipated to be made available on Tuesday, December 15, 2020," it said.

"We recommend that all customers update to release 2020.2.1 HF 2 once it is available, as the 2020.2.1 HF 2 release both replaces the compromised component and provides several additional security enhancements."

The firm said it was not aware of security bugs in any of its other software products.

The US Cybersecurity and Infrastructure Agency (CISA) also issued an emergency warning on Monday, directing all federal civilian agencies using SolarWinds Orion software to disconnect and disable the application to prevent hackers from launching cyber attacks. CISA also advised users to "review their networks for indicators of compromise."

The security breach at SolarWinds is one of the most significant cyber attacks in recent years, according to cyber security experts.

It was disclosed on Sunday after Reuters, the Washington Post, and Wall Street Journal and other news outlets published stories on cyber intrusions at the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA).

The Washington Post claimed that multiple federal agencies were impacted in this cyber espionage campaign.

On Sunday, the US government confirmed media reports that hackers backed by a foreign government were able to breach the computer networks of the US Treasury Department and an agency within the Commerce Department.

"The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation," National Security Council (NSC) spokesman John Ullyot said.

Media reports claimed that hackers behind these attacks had unrestricted access to internal email systems of many federal agencies. The hack involved Microsoft's Office 365 and the NTIA's office software, and enabled hackers to monitor staff emails for many months.

The FBI is currently investigating the possible role of advanced persistent threat (APT) group Cozy Bear, which is said to work for the Russian Foreign intelligence service (SVR), in the attack.