SolarWinds says hack affected 18,000 customers, including two major government agencies

At least two U.S. federal agencies are believed to have been targeted by a cyberattack perpetrated earlier this year.

SolarWinds, an IT company with a customer base that includes several federal and state agencies, said in a Monday U.S. Securities and Exchange Commission filing that it notified about 33,000 customers of a cyberattack involving its Orion products on Sunday. The notifications triggered an emergency response from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which instructed all agencies using SolarWinds’ Orion products to “disconnect or power down” those products as the extent of the threat was assessed.

The U.S. Department of Commerce and the U.S. Department of the Treasury were both targeted in the attack, according to the Associated Press. A spokesperson with the Department of Commerce confirmed in a statement shared with Newsweek that one of its bureaus was impacted.

“We can confirm there has been a breach in one of our bureaus,” the Department of Commerce spokesperson told Newsweek. “We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”

In its Monday SEC filing, SolarWinds said Orion products that were either downloaded or updated between March and June of this year may have been affected by the cyberattack.

“SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” the company’s filing said.

SolarWinds said it is investigating to determine which of its customers were impacted and whether or not any of the hacking attempts were successful. Though the company says on its website that its more than 300,000 customers include federal and state government agencies such as the U.S. Census Bureau and the U.S. Department of Justice, the company did not specify in its Monday filing which customers were believed to have been affected.

In response to the news of the SolarWinds cyberattack, CISA directed all federal civilian agencies to shut down their Orion products on Sunday and “review their networks for indicators of compromise.”

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said in a statement. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”

All agencies that fell under CISA’s directive were instructed to update CISA on the results of their reviews by noon on Monday.

SolarWinds said it “has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state.” The company said the perpetrators of the attack have not yet been identified, though experts told the Associated Press that Russian hackers are believed to be behind the breach. A spokesperson for the Kremlin told reporters on Monday that Russia was not responsible for the attack, according to the AP.

Newsweek reached out to CISA and the Department of the Treasury for comment but did not receive a response in time for publication.

This is a developing story, and Newsweek will update it as new information becomes available.