Feeling mildly smug because you don’t use SolarWinds? Time to readjust your threat model…:
Up to 30% of the organizations hit as part of the apparent cyberespionage campaign waged by the hackers responsible for the SolarWinds supply chain attack did not use the company’s compromised Orion network monitoring software, Brandon Wales, acting director of the U.S. Cybersecurity and Infrastructure Agency, tells The Wall Street Journal. These victims were targeted in a variety of other ways, he says.
“We don’t see anything that counters CISA’s belief around victimology,” says Vikram Thakur, a senior threat analyst with security firm Symantec. “They’re likely aware of a much larger set of victims than we are, so I would say their estimate is accurate.”