Breach, Data Security, Threat Management

‘Very, very large’ telecom organization and Fortune 500 company breached in SolarWinds hack

A “very, very large” telecommunications organization, a Fortune 500 company, and multiple government agencies are among the thus far unreported breaches to emerge as a result of the SolarWinds supply chain hack, confirmed a researcher supporting both public and private sector entities in recovery from the devastating attack.

This latest information comes a day after Microsoft confirmed that it notified more than 40 customers of breaches identified off telemetry from its Defender antivirus software.

“There’s a very, very large telecom organization that will have to put its hand up fairly soon, and there’s a very, very large Fortune 500 that will have to put its hand up pretty soon,” said Chris Roberts, virtual CISO and advisor to a number of companies and agencies as part of the HillBilly Hit Squad group of cybersecurity researchers. “From the government agency standpoint, there’s a few of those out there that will have to put their hand up and say, ‘yah we got hit.’”

https://youtu.be/CY7R5BQfTOI

Roberts, who is the former chief security strategist at Attivo Networks, spoke to SC Media as part of a virtual conference taking place Jan. 26-27, focusing on the tactics of state-sponsored hackers.

The department of Homeland Security, Energy, and Treasury, and FireEye are among the other notable victims affected by the supply chain attack on SolarWinds network monitoring software. SolarWinds estimates that between last March and June, roughly 18,000 user organizations downloaded updates of its Orion software that Russian APT actors allegedly corrupted with Sunburst backdoor malware.

Roberts did not reveal which telecom organization, Fortune 500 company or government agencies are the latest to fall victim to the breach. He did emphasize, however, the significance of the combination of targets.

“You need to take a step back and go 'hang on, we’re looking at attacks against the backbone of the architecture,'” of the nation's most critical infrastructure and assets, he said. With that in mind, "can I trust the technology sitting in front of me?”

Indeed, agencies shut down a number of "very secure communications," unable to know for certain that associated systems were not compromised, Roberts said. And while Microsoft said in its own announcement about the breach that researchers “have not found evidence of access to production services or customer data,” Roberts said much is still unknown. As he put it, "how many millions of lines of code will Microsoft have to go through to go from ‘we don’t think' to 'we know?’” He credited both Microsoft and FireEye, which was the first to reveal evidence of a breach, for transparency and efforts to distribute intelligence about the attack.

Click here to register for the SC Media Virtual Conference, Knowing your adversary: Mapping cyber kill chain indicators to security tactics

Vendors may ultimately need to take down portions of services to identify vulnerabilities. Roberts estimates that the malware has been installed on networks a year or longer, and "until you literally start ripping the code to pieces, you don't know how far down this rabbit hole" companies and agencies will need to travel to figure out what's infiltrated.

"We've got to look in the mirror, we really have to go look in the mirror and ask, 'why didn't we see it? We have multi-billion dollar systems in place that should detect this," Roberts said.

Jill Aitoro

Jill Aitoro leads editorial for SC Media, and content strategy for parent company CyberRisk Alliance. She 20 years of experience editing and reporting on technology, business and policy.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.