Breach, Data Security, Network Security

Internet-exposed Orion servers drop 25% since SolarWinds breaches announced

The SolarWinds and Microsoft Exchange incidents improved coordination between the government and private industry but also exposed worrying gaps in the government’s information sharing, auditors concluded in a new Government Accountability Office report released Thursday. (“SolarWinds letters” by sfoskett at

One in four SolarWinds Orion servers exposed to the internet at the time of an era-defining espionage campaign have been taken off the internet, RiskRecon reports.

Orion is one of several platforms used in a broad espionage campaign widely believed to be orchestrated by Russian intelligence discovered last year, ensnaring government agencies, security companies, and others.

"I'm impressed with the response. You know, if you look globally. A 25% reduction in the number of instances of SolarWinds Orion operating on the internet is a material change," said Kelly White, RiskRecon CEO.

Removing an Orion server from the internet could mean different things to different companies. Some will have brought the servers inside of a firewall. Others may have found a replacement for SolarWinds. Yet others may have mothballed the servers during remediation. In December, the Department of Homeland Security ordered federal Orion servers to be disconnected or powered down as it cleaned up government networks.

A BitSight report a week after FireEye disclosed the SolarWinds breaches determined 8% of Orion systems had been taken offline at that time.

RiskRecon arrived at the 25% number through internet scans on Dec. 12 and Feb. 1.

"In most cases, we're able to trace these down to the actual companies that are operating these unsafe systems on the internet," said White. "Many of these companies are household names. Fortune 500 companies. Power grid operators. They're important research universities, government agencies still online two months into this threat."

According to the RiskRecon report, 4% of the Orion servers still online are running the SUNBURST malicious code that launched so many investigations.

RiskRecon runs external security scans to aid customers in selecting third party vendors. In the same study, RiskRecon reports that vendors to RiskRecon customers took 59% of their internet exposed Orion servers offline – roughly twice the rate of the world as a whole. White attributes this to the threat of customer oversight, though it could also mean that companies predisposed to score well on security scans are also predisposed to take these kinds of security measures.

Given the mainstream publicity of the SolarWinds-based breaches, White said this may be the best-case scenario for how companies would respond to a massive security event right now.

"The positive story is that we saw 25% of the company's overall take the Orion software down," he said. "But the downside is is that 75% of the companies are still remaining," he said.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.