- Hundreds of electricity providers in the United States got infected with the Sunburst backdoor.
- In most cases, the threat actors didn’t actually engage in doing any damage to the compromised networks.
- SolarWinds is still counting losses, as the company strives to stay afloat before the legal action wave hits.
The North American Electric Reliability Corporation (NERC) has posted an announcement that gives more details around how many electric utilities have installed the malicious SolarWinds software update that was meant to help Russian hackers deliver stealthy backdoors (Sunburst) onto critical systems, and the number is around 375. That’s a quarter of a total of 1,500 utilities sharing data with the power grid regulator, so it’s a significant portion of such a critical infrastructure in the United States.
The data concerns the attacks that were discovered back in December 2020, which is when the regulator sent the relevant alert to all its members. The neuralgic functions of the electric sector explain why the infection covered hundreds of entities. Still, we don’t know how many of them were active in the sense of having hackers moving in the networks of these units. After all, the actors had to choose where to focus from a pool of 18,000 compromised systems.
On that matter, NERC’s senior vice president, Manny Cancel, stated:
The overwhelming majority of electric organizations did not experience any of the indicators of compromise, meaning the command-and-control activity. From that respect, we did not see what some of the other sectors were seeing with the compromise.
In the meantime, SolarWinds Corporation has announced the cost of the incident in the first three months of 2021, and the company estimated it between $18 million and $19 million. These costs concern remediation efforts, contracts with CrowdStrike and KPMG, etc. The amounts are expected to grow exponentially when legal expenses have to come into play, inevitably. Obviously, even then, the total will pale in comparison to the overall cost of the breaches suffered by SolarWinds’ clients.
As for the actors behind the “Sunburst” campaign, a recent report from Palo Alto Networks’ Unit 42 team attributes about 1.3 million attacks that took place during Q1 2021 to Russian-based actors. They are the most active in the world, followed by US-based actors who were responsible for 850k attacks and Chinese hackers coming third with half a million during the same period.