by Marc Ferranti

Victims of SolarWinds attack include organisations in the UAE, Israel

Dec 19, 2020

Microsoft has located victims of the breach in North America, Europe and the Middle East.

cso security malware breach hack alert gettyimages 1144604134 by solarseven 2400x1600px
Credit: Solarseven / Getty Images

Victims of the SolarWinds breach include organisations in the UAE and Israel in addition to entities in North America and Europe, according to Microsoft.

More than 40 Microsoft customers that use the SolarWinds’ Orion network and applications monitoring platform have been compromised, according to a blog post by Microsoft President Brad Smith. Microsoft detected the breach based on telemetry from its Defender security software, among customers that use that product as well as the Orion platform, Smith said.

While 80% percent of those customers are in the US, others are located in Canada, Mexico, Belgium, Spain, the UK, in addition to the UAE and Israel, according to Smith.

Microsoft said, however, that it found no evidence of access to its own production services, and no indication that its systems were used to attack others.

Though Smith did not identify any of the customers, he said that the list of victims discovered so far include government entities, technology and security companies, and NGOs (nongovernmental organisations).

A hacker group widely believed to be Cozy Bear, affiliated with the Russian government, gained access to the Orion software and then used that breach to distribute updates to the product that included a trojan programme dubbed SUNBURST. This allows the attackers to circumvent security and install various other malware.

SolarWinds says that it has 33,000 Orion customers. The company said that customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.

“SolarWinds was the victim of a cyberattack to our systems that inserted a vulnerability (SUNBURST) within our Orion Platform software builds for versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1, which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run,” the company said in a security alert.

The company said it is has not seen evidence that non-Orion product were compromised.

The wide-ranging breach is a so-called supply chain attack, one in which hackers breach systems by first compromising third-party software that has access to those systems.

In his blog post, Smith urged international cooperation to address the growing cybersecurity threats. “We need to take a major step forward in the sharing and analysis of threat intelligence,” Smith said. “We need to strengthen international rules to put reckless nation-state behavior out of bounds and ensure that domestic laws thwart the rise of the cyberattack ecosystem.”