{
	"id": "7ba7df96-6d8a-43bb-90d8-07d09a004add",
	"created_at": "2026-04-06T00:12:26.426302Z",
	"updated_at": "2026-04-10T03:20:21.904348Z",
	"deleted_at": null,
	"sha1_hash": "82b9a3d636f586aeff5d50de3732e44975f07dfc",
	"title": "SolarWinds says fewer than 100 customers were impacted by supply chain attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 206358,
	"plain_text": "SolarWinds says fewer than 100 customers were impacted by\r\nsupply chain attack\r\nBy Catalin Cimpanu\r\nPublished: 2022-12-09 · Archived: 2026-04-05 14:33:41 UTC\r\nTexas-based software firm SolarWinds downgraded the number of customers impacted by its 2020 supply chain\r\nattack from 18,000 to less than 100.\r\nIn an SEC filing on Friday, the company said that based on new information surfaced during its investigation, such\r\nas DNS traffic records, it now believes that while 18,000 of its 300,000 customers downloaded a version of its\r\nOrion software that was tainted with the Sunburst malware, the attackers activated the malware only on a handful\r\nof customers networks.\r\nWe now estimate that the actual number of customers who were hacked through SUNBURST to be\r\nfewer than 100. [...] This information is consistent with estimates provided by U.S. government entities\r\nand other researchers and consistent with the presumption the attack was highly targeted.\r\nSolarWinds CEO Sudhakar Ramakrishna\r\nSolarWinds said that while it detected around 18,000 downloads of the tainted SolarWinds Orion app, many\r\ncustomers did not install the downloaded version, or the Orion update was installed in air-gapped networks where\r\nthe malware couldn't connect to its command-and-control server, blocking any future attacks.\r\nThe company's CEO Sudhakar Ramakrishna said the company issued this update to correct media reports from\r\nlast year that incorrectly suggested that 18,000 of its customers were hacked when, in reality, the attackers only\r\nwent after a handful of selected targets, such as large companies and government organizations.\r\nThis was confirmed last month by the governments of several countries, including the Biden administration, who\r\nformally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds supply chain\r\nattack as part of a targeted cyber-espionage campaign.\r\nInvestigation into the hacker's entry point is progressing\r\nBut the SEC document filed on Friday also provided additional insight into the company's internal investigation.\r\nOne of the biggest mysteries that remains to be solved is how SVR hackers gained access to SolarWinds' internal\r\nnetwork in the first place.\r\nThe Texas software company said it is still investigating this topic and has, in the meantime, narrowed down the\r\nentry point to three possibilities:\r\nZero-day vulnerability in a third-party application or device;\r\nBrute-force attack, such as a password spray attack; or\r\nhttps://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack\r\nPage 1 of 4\n\nSocial engineering, such as a targeted phishing attack.\r\nSolarWinds also said that while they \"don't know precisely when or how the threat actor first gained access to\r\n[their] environment,\" the company found new evidence that the threat actor compromised internal credentials and\r\nmoved around its internal network and Microsoft Office 365 environment for at least nine months prior to\r\ninitiating a so-called test run in October 2019, when they tested their ability to deploy malicious code inside the\r\nSolarWinds Orion app before launching the actual attack in March 2020.\r\nIn addition, SolarWinds said the SVR hackers also:\r\nThe threat actor created and moved files that we believe contained source code for both Orion Platform\r\nsoftware and non-Orion products. However, we are unable to determine the actual contents of those files.\r\nThe threat actor created and moved additional files, including a file that may have contained data\r\nsupporting our customer portal application. Although we're unable to determine the actual contents of the\r\nfiles, the information included in our customer portal databases does not contain highly sensitive personal\r\ninformation, such as credit card, Social Security, passport details, or bank account numbers, but contains\r\nother information such as customer name, email addresses, billing addresses, encrypted portal login\r\ncredentials, IP addresses downloading any software and MAC addresses of the registered Orion servers.\r\nThe threat actor accessed email accounts of certain personnel, some of which contained information related\r\nto current or former employees and customers. We are currently in the process of identifying all personal\r\ninformation contained in the emails of these accounts and expect to provide notices to any impacted\r\nindividuals and other parties as appropriate.\r\nThe threat actor moved files to a jump server, which we believe was intended to facilitate exfiltration of the\r\nfiles out of our environment.\r\nSolarWinds said that it is still investigating the attack and its aftermath. The company is working with KPMG and\r\nCrowdStrike, and several government agencies.\r\nLast month, the company revoked and issued a new digital code-signing certificate for its applications and also\r\nrevamped its software build process to add post-build verification defenses.\r\nhttps://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack\r\nPage 2 of 4\n\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nCatalin Cimpanu\r\nis a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement\r\nactions against hackers.\r\nhttps://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack\r\nPage 3 of 4\n\nSource: https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack\r\nhttps://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack"
	],
	"report_names": [
		"solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434346,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/82b9a3d636f586aeff5d50de3732e44975f07dfc.pdf",
		"text": "https://archive.orkl.eu/82b9a3d636f586aeff5d50de3732e44975f07dfc.txt",
		"img": "https://archive.orkl.eu/82b9a3d636f586aeff5d50de3732e44975f07dfc.jpg"
	}
}