Thousands of organizations worldwide may have been compromised in what appears to be one of the most significant supply-chain attacks in recent years. Earlier this month cybersecurity vendor FireEye disclosed a security breach, which resulted in the theft of its Red Team security tools. The incident was part of a larger supply chain attack, likely carried out by nation-state hackers, involving malicious SolarWinds updates used to hack into networks of government entities and private businesses.

In a security advisory released over the weekend SolarWinds said that the hackers breached its network and inserted a backdoor into updates for Orion, a software application for IT inventory management and monitoring. This backdoor allowed the attackers to deploy additional malware on the networks of SolarWinds customers. Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were affected.

In a SEC filing on Monday SolarWinds said that out of 300,000 of its customers only 33,000 were using Orion and that “SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.” The company also said it plans to release a second hot fix update on December 15 to further address the vulnerability.

According to the filing, the attackers might have gained access to SolarWinds’ systems by compromising the company's emails and using that to access other data in its Microsoft Office 365 environment.

Targets of the SolarWinds supply-chain attack are believed to include the US Treasury Department, the National Telecommunications and Infrastructure Administration, the U.S. Department of Homeland Security, and security firm FireEye.

In response to the SolarWinds supply-chain attack the Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued a rare directive late Sunday for “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”

In its technical report FireEye attributed the SolarWinds supply-chain attack to an unknown threat actor it tracks as UNC2452. Researchers from Volexity have linked this threat actor, which they call Dark Halo, to multiple incidents at a US-based think tank they had investigated in late 2019 and 2020.

In one instance Volexity observed the hackers using multiple tools, backdoors, and malware implants that had allowed them to remain undetected for several years.

After being purged from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization’s Microsoft Exchange Control Panel (CVE-2020-0688).

“Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization’s Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020,” the researchers said. “The primary goal of the Dark Halo threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization.”

According to Volexity, the incident involving SolarWinds software took place in July 2020.

“Volexity identified suspicious administrative commands and ActiveSync anomalies in the organization’s Exchange environment. Further review of the organization’s endpoint software and network traffic confirmed a breach. The attacker had executed commands to export e-mail for specific users in the organization, and then exfiltrated the data via the organization’s Outlook Web Anywhere (OWA) server,” the researchers said.