The Department of Homeland Security Cyber and Infrastructure Security Agency (DHS-CISA) revealed that SolarWinds hack affected U.S. government agencies, critical infrastructure entities, and private groups.
Experts speculate that close to 50 victims, including 40 customers alerted by Microsoft, were among entities breached by suspected Russian hackers.
The victims include 15 critical infrastructure companies in the gas, electric, oil, and manufacturing industries, according to The Intercept.
Similarly, the SolarWinds attack affected companies providing core services to critical infrastructure entities, such as the providers of industrial control systems (ICS), with some being original equipment manufacturers (OEMs). The Intercept reported that three such companies were affected by the SolarWinds supply chain attack.
However, details are scanty on whether the attackers behind the SolarWinds hack infiltrated into the affected customers’ core systems.
CISA said on Wednesday that a sprawling SolarWinds cyber espionage campaign made public earlier this month was affecting state and local governments, although it released few details on the nature of the intrusion.
In a statement posted on its website, the federal agency said that the hacking campaign was “impacting enterprise networks across federal, state, and local governments, as well as critical infrastructure entities and other private sector organizations.”
Several federal government agencies including the Commerce Department, U.S. Treasury Department, and the Department of Energy confirmed being affected by the SolarWinds hack.
However, the cybersecurity agency did not mention any specific state or local agencies’ or critical infrastructure entities affected by the SolarWinds hack.
Meanwhile, Reuters reported that Pima County, Arizona, was among the local authorities affected by the SolarWinds hack.
Pima county chief information officer earlier said that the local authority had deactivated the SolarWinds Orion software. Private entities hit by the SolarWinds hack included tech companies, a hospital, and a university. However, the full extent of the SolarWinds hack is difficult to estimate given that the threat actors were exploiting additional attack vectors.
Critical infrastructure entities and OEMs’ breaches expand the attack surface
Hacked OEMs providing industrial control systems to critical infrastructure entities have remote and privileged access to companies’ networks and infrastructure.
These privileges allow them to modify network settings, install new software, and control critical industrial processes. The SolarWinds hack threat actors could breach the OEMs to expand their attack surface by introducing more vulnerabilities into the critical infrastructure entities’ networks.
They could also use the opportunity to interfere with industrial processes, exfiltrate data, or install backdoors on OEMs firmware to compromise critical infrastructure companies using the affected industrial control systems across the world.
Some OEMs have also installed infected SolarWinds Orion software on their customers’ networks for easy remote control of their equipment. Such OEMs may have unwittingly introduced vulnerabilities to third-party critical infrastructure companies that could be used to gain access to their clients’ corporate networks.