30 percent of SolarWinds hack victims didn't run the software, CISA head says

(Image credit: Greg Nash-Pool/Getty Images)

published 29 January 2021

The SolarWinds hack is in need of a new name, America's top cybersecurity investigators say.

In late 2020, foreign hackers exploited the widely used SolarWinds software to gain access to hundreds of thousands of federal government computers, as well as private companies' networks. But it turns out that around 30 percent of computers previously thought to be hacked via SolarWinds didn't even run the software, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, tells The Wall Street Journal.

The idea that SolarWinds was the only avenue for the suspected Russian attack limited its potential victims to the software's relatively small user base. But hackers linked to the attack also seem to have broken into government and private accounts by guessing passwords and exploiting issues in Microsoft's cloud-based Office software used by millions of people, government investigators said. "It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign," Wales told the Journal.

Subscribe to The Week

Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.

SUBSCRIBE & SAVE

https://cdn.mos.cms.futurecdn.net/flexiimages/jacafc5zvs1692883516.jpg

Sign up for The Week's Free Newsletters

From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.

Cybersecurity company Malwarebytes backed up investigators' findings, saying last week that it faced the same hackers as the SolarWinds attack. But Malwarebytes doesn't even use SolarWinds; rather, the hackers found a loophole in a Microsoft Office 365 account to break in. The revelation made Malwarebytes' CEO Marcin Kleczynski wonder what software is even safe to keep on company computers. "How do I know that Zoom or Slack isn’t next and what do I do?" Kleczynski questioned when talking to the Journal.

Around 18,000 government and private computers are thought to have been compromised in the hack, including networks in the Pentagon, State Department, Justice Department, and other top agencies. President Biden brought up the attack in his first call with Russian President Vladimir Putin.

Explore More

Kathryn is a graduate of Syracuse University, with degrees in magazine journalism and information technology, along with hours to earn another degree after working at SU's independent paper The Daily Orange. She's currently recovering from a horse addiction while living in New York City, and likes to share her extremely dry sense of humor on Twitter.