The US government has updated their numbers on the incident, citing 9 federal agencies and about 100 private companies compromised. This number is lower than previously thought, although the investigation is ongoing and will take “several months.” There is also more pending executive action, and the incident is “more than an isolated case of espionage.” Additionally, the attack appears likely to have been launched from within the US, to further hide detection.
RiskRecon is reporting that one in four SolarWinds Orion servers that was exposed to the internet at the time of the espionage campaign is now taken off the internet. This removal could be moving within a firewall, replacement of the product, or mothballing the server. Only about 4% of those online are running the SUNBURST malicious code.
A new detail was revealed in a 60 minutes interview. FireEye’s CEO Kevin Mandia indicated that the attack would not have been found if a security staff member had not noticed an employee had two phones registered to their name. They should have only had one. In the same segment, Microsoft President Brad Smith called the incident “the largest and most sophisticated attack the world has ever seen”.
Why do we care?
Let’s talk about those servers a moment. Good news to see the exposure get closed fast, although clearly not the entire story from a breach perspective.
Also note that the discovery was around two phones linked to a single account. Monitor the monitor and all that… but this feels like something we can actually be more disciplined with and automate this monitoring. When I say there are lessons here, these are the nuggets I’m focused on.