One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign have been taken off the internet, RiskRecon reports.

Orion is one of several platforms used in a broad espionage campaign widely believed to be orchestrated by Russian intelligence discovered last year, ensnaring government agencies, security companies, and others.

"I'm impressed with the response. You know, if you look globally. A 25% reduction in the number of instances of SolarWinds Orion operating on the internet is a material change," said Kelly White, RiskRecon CEO.

Removing an Orion server from the internet could mean different things to different companies. Some will have brought the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have mothballed the servers during remediation. In December, the Department of Homeland Security ordered federal Orion servers to be disconnected or powered down as it cleaned up government networks.

A BitSight report a week after FireEye disclosed the SolarWinds breaches determined 8% of Orion systems had been taken offline at that time.

RiskRecon arrived at the 25% number through internet scans on Dec. 12 and Feb. 1.

"In most cases, we're able to trace these down to the actual companies that are operating these unsafe systems on the internet," said White. "Many of these companies are household names. Fortune 500 companies. Power grid operators. They're important research universities, government agencies still online two months into this threat."

According to the RiskRecon report, 4% of the Orion servers still online are running the SUNBURST malicious code that launched so many investigations.

RiskRecon runs external security scans to aid customers in selecting third party vendors. In the same study, RiskRecon reports that vendors to RiskRecon customers took 59% of their internet exposed Orion servers offline – roughly twice the rate of the world as a whole. White attributes this to the threat of customer oversight, though it could also mean that companies predisposed to score well on security scans are also predisposed to take these kinds of security measures.

Given the mainstream publicity of the SolarWinds-based breaches, White said this may be the best-case scenario for how companies would respond to a massive security event right now.

"The positive story is that we saw 25% of the company's overall take the Orion software down," he said. "But the downside is is that 75% of the companies are still remaining," he said.