Last week, news broke that IT management company SolarWinds had been hacked, possibly by the Russian government, and the US Treasury, Commerce, State, Energy, and Homeland Security departments have been affected — two of which may have had emails stolen as a result of the hack. Other government agencies and many companies are investigating due to SolarWinds’ extensive client list. The Wall Street Journal is now reporting that some big tech companies have been infected, too.
Cisco, Intel, Nvidia, Belkin, and VMware have all had computers on their networks infected with the malware. There could be far more: SolarWinds had stated that “fewer than 18,000” companies were impacted, as if that number is supposed to be reassuring, and it even attempted to hide the list of clients who used the infected software. Today’s news takes some of SolarWinds’ big-name clients from “possibly affected’’ to “confirmed affected.”
At the moment, the big tech companies have the same story, boiling down to “we’re investigating, but we don’t think this has impacted us.” But as we’ve repeatedly learned in instances like the 2016 hack of the Democratic National Committee’s email, it can take a long time for the impacts of a hack to be fully realized. Once hackers are inside a system, it can also be difficult to tell if they’re fully gone. As this Associated Press report explains, it can be difficult to fully trust a network after a hacker has been inside.
In this case, investigators have a lot of data to look back through: the hack is still ongoing and has been for months.
Exacerbating the issue is that investigators found another hacking group that had broken into SolarWinds using a similar exploit. This attack, dubbed Supernova, was at first thought to be part of the main attack (aka Sunburst), but investigators now think it was executed by a second, less sophisticated group.
There are all sorts of reasons why a hacking group might want to get into a big tech company’s systems, including access to future product plans or employee and customer information that could be sold or held for ransom, assuming they actually went looking for that info. But it’s also possible these companies were only collateral damage as these hacking groups went after government agencies, ones that happened to share the same SolarWinds-provided IT management systems. At the moment, it doesn’t seem like any of these companies are particularly worried. Compare that to the US government’s computer security organization, which announced that every federal agency should power down its SolarWinds systems immediately.