An attack on the Austin-based software company
—believed to have originated with Russia’s foreign intelligence service—appears to be at the root of recently disclosed cyber security issues at security-software firm FireEye and a range of U.S. government agencies.
Last week, FireEye disclosed that it had suffered a significant cyber attack, one it blamed on “a state-sponsored” group. Over the weekend, it emerged that the core issue was a malware-infected update to SolarWinds Orion, the company’s IT management software, which is used by FireEye.
The SolarWinds (ticker: SWI) attack also appears linked to attacks on multiple U.S. government agencies, including the departments of Treasury and Commerce, which have suffered computer-system breaches. The Wall Street Journal and other publications have reported that Russia’s foreign-intelligence service is believed to be behind the attack.
In a blog post Sunday night, FireEye (FEYE) said the SolarWinds issue is affecting many computer systems worldwide, and that victims have included “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.” The company said it anticipated that “there are additional victims in other countries and verticals.”
FireEye said that what it described as a “global intrusion campaign” originated with SolarWinds Orion, that company’s core software product.
“FireEye has uncovered a widespread campaign,” the company said. “The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via ‘trojanized’ updates to SolarWind’s Orion IT monitoring and management software.”
The campaign, which may have begun as early as this spring, is continuing, it said.
“Post-compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
On Sunday, SolarWinds issued a security advisory, saying “we have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
In a filing with the Securities and Exchange Commisison, SolarWinds added that the attack “could potentially allow an attacker to compromise the server on which the Orion products run.”
SolarWinds said further that it “has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but [that] SolarWinds has not independently verified the identity of the attacker.”
The company said it has retained third-party cybersecurity experts to help with its investigation, “including whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems,” and to work on developing mitigation and remediation plans, it said in the filing.
SolarWinds said it is cooperating with the Federal Bureau of Investigation, the U.S. intelligence community, and other government agencies as they investigate the matter.
SolarWinds noted in the SEC filing that while it has more than 300,000 customers, it believes fewer than 18,000 installed an update that contained the malware.
For the nine months that ended in September, the company had about $343 million in revenue from its Orion products, accounting for about 45% of total revenue, it said.
SolarWinds stock was down 15.6% to $19.87 near midday on Monday. FireEye shares were up 0.7% to $13.92.
Corrections & Amplifications
The cyber attack on FireEye originated with an attack on the SolarWinds Orion IT management software. The original version of this article incorrectly said FireEye was the original source of the issue.
Write to Eric J. Savitz at [email protected]