Deloitte, Stratus Networks, Digital Sense, ITPS and Netdecisions were breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise, according to a cybersecurity consultancy.
The Sweden-based firm, Truesec, analyzed the malware — as well as historical network data — to determine which firms were explicitly selected by the SolarWinds hackers for further activities, meaning that additional internal compromise could have taken place. Nearly 18,000 firms were compromised via SolarWinds Orion, but many fewer were targeted in the attack’s second stage.
“The impact of this attack is likely to be of gigantic proportions,” Fabio Viggiani, technical lead for Truesec security team, wrote in a blog post Thursday. “The full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”
[Related: Top Treasury Email Accounts Exposed In SolarWinds Hack: Report]
Deloitte, Stratus Networks, Digital Sense, ITPS and Netdecisions did not immediately respond to requests for comment from CRN. The Wall Street Journal reported Monday that Deloitte was infected in late June by a malicious SolarWinds Orion update, and the company told CRN that it “has taken steps to address” the malware but hasn’t “observed indications of unauthorized access to our systems at this time.”
Viggiani told CRN that the nearly 18,000 SolarWinds Orion backdoors have a certain communication protocol based on logic the hackers implemented in the malware. Based on requests made and responses sent over the network, Viggiani said Truesec could in certain cases figure out the internal name of the infected system as well as the responses sent back from the hacker’s servers.
Truesec took 1,500 DNS cache requests from the past few months to determine the internal domain the system was registered as well as how the hackers responded to the intrusion. The hackers most commonly gave three instructions, Viggiani said: terminate the execution when the target isn’t of interest; hold off and wait for further instruction; and proceed to the second stage of the attack.