Fallout from the SolarWinds backdoor campaign continues as several major technology companies have said they were infected by malicious software updates, though the impact of those infections is unclear.
One week after FireEye disclosed that a recent nation-state attack it suffered was the result of a massive supply chain attack on software maker SolarWinds, more victims are being revealed. The Cybersecurity and Infrastructure Security Agency (CISA) last week said that several federal agencies had been compromised by threat actors that placed a backdoor, dubbed "Sunburst" by FireEye, inside of software updates for SolarWinds' Orion platform. CISA did not identify those agencies, though numerous media outlets have reported that the Department of Homeland Security and the Treasury Department were among the agencies that were breached.
The Wall Street Journal reported Monday that its analysis of the Sunburst malware revealed two dozen organizations that were infected by the backdoor. Those organizations include Cisco, VMware, Intel and Nvidia, which confirmed to The Journal that they had received the malicious updates, though all four vendors said they had found no evidence the backdoors had been exploited by threat actors.
SearchSecurity contacted the four vendors for comment. A Cisco spokesperson sent the following statement:
"Following the SolarWinds attack announcement, Cisco Security immediately began our established incident response processes. We have isolated and removed Orion installations from a small number of lab environments and employee endpoints. At this time, there is no known impact to Cisco products, services, or to any customer data. We continue to investigate all aspects of this evolving situation with the highest priority," the spokesperson said.
An Intel spokesperson told SearchSecurity, "We are still actively investigating, but we currently see no evidence or indication that our systems were affected."
An Nvidia spokesperson confirmed that the company is a SolarWinds customer. "We have no evidence at this time that NVIDIA was adversely affected," the spokesperson said in a email to SearchSecurity. "Our investigation is ongoing."
The scope of the Sunburst campaign has been a looming question in the infosec community. Initially, it appeared FireEye and several U.S. government agencies were the only confirmed victims of the attacks. Additionally, reports from FireEye, Microsoft and the government said this campaign affected unnamed enterprises, specifically technology companies.
In FireEye's disclosure from Dec. 13, the cybersecurity firm said the backdoor campaign, which it called "UNC2452," allowed the threat actors to gain global access to numerous government, enterprise and technology entities, though FireEye did not identify those organizations. In blog post last week, Microsoft president Brad Smith said, "the attack unfortunately represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them."
Specifically, Smith said Microsoft identified more than 40 customers targeted in the attack. That number is further broken down into sectors. "Forty-four percent of targets were in the information technology sector, including software firms, IT services, and equipment providers," Smith wrote in the blog post.