Another SolarWinds Orion Hack

At the same time the Russians were using a backdoored SolarWinds update to attack networks worldwide, another threat actor—believed to be Chinese in origin—was using an already existing vulnerability in Orion to penetrate networks:

Two people briefed on the case said FBI investigators recently found that the National Finance Center, a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised.


Reuters was not able to establish how many organizations were compromised by the suspected Chinese operation. The sources, who spoke on condition of anonymity to discuss ongoing investigations, said the attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies.


While the alleged Russian hackers penetrated deep into SolarWinds network and hid a “back door” in Orion software updates which were then sent to customers, the suspected Chinese group exploited a separate bug in Orion’s code to help spread across networks they had already compromised, the sources said.

Two takeaways: One, we are learning about a lot of supply-chain attacks right now. Two, SolarWinds’ terrible security is the result of a conscious business decision to reduce costs in the name of short-term profits. Economist Matt Stoller writes about this:

These private equity-owned software firms torture professionals with bad user experiences and shitty customer support in everything from yoga studio software to car dealer IT to the nightmarish ‘core’ software that runs small banks and credit unions, as close as one gets to automating Office Space. But they also degrade product quality by firing or disrespecting good workers, under-investing in good security practices, or sending work abroad and paying badly, meaning their products are more prone to espionage. In other words, the same sloppy and corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire. In a sense, this hack, and many more like it, will continue to happen, as long as men like Bravo get rich creating security vulnerabilities for bad actors to exploit.

SolarWinds increased its profits by increasing its cybersecurity risk, and then transferred that risk to its customers without their knowledge or consent.

Posted on February 4, 2021 at 6:11 AM36 Comments


Microsoft MVP February 4, 2021 6:56 AM

My recommendation is that they run SFC /SCANNOW. If that fails, reinstall Windows. Then install Ubuntu.

Matthias Hörmann February 4, 2021 7:37 AM

I believe we have many of these hidden security, safety, data loss and similar risks in IT, particularly in companies where “not rocking the boat” and “doing things the way everyone else does them here” is valued more highly than employee initiative in pointing out the problems or proactively improving on anything.

Often in software development and related fields visible features for the customer are also valued too highly over getting the fundamentals right and improving on them. Of course this has the worst effects on anything like security where you have no customer visible upside and only an invisible downside or a downside that only becomes visible to the customer in an event that is perceived as being unlikely.

Rombobjörn February 4, 2021 8:46 AM

If a company would increase its profits by selling faulty electrical devices that subject users to risk of electric shocks, then there would be dire legal consequences. That’s why electrical devices are usually reasonably safe. There needs to be similar legal consequences for selling insecure software.

Clive Robinson February 4, 2021 9:26 AM

@ ALL,

I don’t know about how others feel, but Matt Stoller appears to have nailed one of the problems down fairly hard.

There is no money in doing security well, so just skim over with filler and gloss it up leaving what is bad to further fester and rot whilst tying the customer in so they can not go any othere place…

“Nice work if you can get it”…

Not so much “shit for giggles” as “shit on for profit”…

That said I still think there is way more to come out of this incident with regards US involvement…

Impossibly Stupid February 4, 2021 10:52 AM

then transferred that risk to its customers

And, even less ethically, all their victims. Anybody who runs a server on the Internet knows that it will constantly be under attack by people with “sloppy and corrupt practices”. Yet I have never once seen an ISP offer a reward for reporting abuse or offered me compensation for damage done by bad actors coming from their network space. Big cloud providers like Amazon and Google rake in the cash, and everyone else pays the price of building a security apparatus to keep out their riffraff.

This SolarWinds exploit is just another case of SSDD as far as I can tell. There are some new bits, sure, but any arms race leads to attacks of increasing sophistication. To me, the fundamental question comes back to why on Earth is traffic from untrustworthy sources, especially from hostile nation states like China and Russia, treated on par with that of paying customers, never mind being allowed into build servers and other critical parts of the supply chain?

I fully agree that Matt Stoller nails it in his article, at least from the bigger picture, economic incentive angle. Well worth the read.

José-Antonio SANCHEZ-VEGA February 4, 2021 11:06 AM

wow … very heavy statement from Matt Stoller!

At some point I agree providers shall have some kind of accountability on the quality of products they deliver and the consequences if they’re faulty. The problem is that nowdays the only leverage to drive industry to produce quality is reputation.

We need some kind of regulation that force to take an acceptable amount of good practices at least to demonstrate they’ve been delivering in good-will. Today is almost discretionary.

Pending regulation comes, lawsuits (as already mentioned in another entry some weeks ago) could help some to take the right decisions.

Schadenfreude February 4, 2021 11:11 AM

as long as men like Bravo get rich creating security vulnerabilities for bad actors to exploit.

This is how our revolting system works. A few very lucky individuals are able to make money that they will never be able to spend while leaving a disgusting mess in their wake for the rest of us to clean up.

Take the packaging company Tetra Pak, for example. While outwardly trumpeting ecological goals their product is a disaster for the environment. There are so many other examples of this.

ATN February 4, 2021 11:20 AM

I wonder where one can ask to get those backdoors installed, so that if you produce good quality software, you can regression-test your own software on a standard costumer equipment, with both Chinese and Russian backdoors installed (all versions)…

JonKnowsNothing February 4, 2021 11:43 AM

@ATN @All

re: testing malware for intrusion detection flags

iirc(badly) Some while ago there was a very good set of articles written about how malware creators test their products to avoid detection. There were on-line lectures and several quality presentations.

iirc(badly) They buy a malware packaging service. They ship copies of their code to a centralized submission site and the service runs the malware against all current copies of malware-detection software. If it gets a bump, they ship the information back to the malware creators who tweak the software until it can run against all of them sans-burp.

Once they get a no-burp version they deploy it quickly. These sorts of malware have short life cycles and they are propagated globally in a hop-scotch fashion which makes it a bit harder to gather enough data to put in a block.

The type of conditions in the current case, requires No Detection for a long time. It’s a different category requiring extreme stealth vs the quick In-Out-Gone type.

They would need a similar system; perhaps in-house or super secret contracts.

Jordan Brown February 4, 2021 12:31 PM

Unfortunately, it’s worse than “no customer visible upside”. Often there is a customer-visible downside to improved security. At its simplest, once you have a password, the customer can forget the password. Requiring two-factor authentication requires that customer manage that second factor, deal with cases where it gets lost, et cetera. Using TLS means that you have to keep replacing certificates, and that changing or adding host names is a hassle, et cetera.

Neil Pickersgill February 4, 2021 1:12 PM

When the porn industry is taking their security more seriously than most businesses, you really know it’s time to start worrying 🙂

Mat February 4, 2021 1:24 PM

Look around in silicon valley how many fake CISOs with 0 security engineering background except useless certifications in their name. Mostly hired through connections and get recycled. Happens a lot with those from India.
Same with CTO roles who doesn’t have any software engineering background.

America is open and everyone exploits both inside and out.

Fed.up February 4, 2021 2:29 PM

@Mat is correct.

I recently left a job where their entire cyber team didn’t even have any IT experience. It does involve foreign nationals who lied their way into the USA.. There’s no shortage of qualified Americans for IT or Cyber it is just that the applicant recruiting system’s were written to purposely exclude or blackball qualified Americans.

When you outsource and offshore your staff at some point they have to go home and might they purposely leave backdoors because they don’t have a 401K? Wouldn’t a backdoor be a nice nest egg?

So far as blaming China, can someone explain to me how data travels from the USA to India without landing in China? And can you also explain how encrypted data travels from the USA to India when India bans encryption?

Senator Dianne Feinstein knew this was a problem in 2003. She threatened to ban offshoring sensitive US data for this very reason. Every other developed nation has data residency laws except the USA and to add insult to injury now all of our data is in the cloud managed offshore by people working from home. Is anyone surprised that it’s all compromised by foreign governments. If you wanted access the worlds biggest companies this pandemic and offshore WFH fiasco was surely a great opportunity to do just that.

On my last job I thought that my CISO was doing something evil and I’m more convinced than ever that he was with SolarWinds, JetBrains and Malwarebytes in the environment. This was all planned.

Is this why the US Government is cancelling Jedi? And is this why Bezos is stepping down?

This is avoidable. We need data privacy and data residency laws. Instead security companies pretend that monitoring will solve it and it never does.

Most importantly we need to license tech companies in the USA. We need a non-governmental exchange like NYSE that regulates, examines, qualifies, monitors, investigates tech companies just like they do for public companies. There needs to be criminal charges and jail time for companies and people who break these laws. This Tech Exchange could perform third party risk assessments and then qualify which companies could sell to which industries. This could also increase competition in the USA and entrepreneurship.

lurker February 4, 2021 2:38 PM

People are praising Mat Stoller for telling it like it is. But he’s telling on a relatively back-street blog. His words need to be front page on WSJ before we’ll see any effort going to fix the problems, and I fear that just ain’t gonna happen…

tim February 4, 2021 2:59 PM

These private equity-owned software firms torture professionals with bad user experiences and shitty customer support in everything from yoga studio software to car dealer IT to the nightmarish ‘core’ software that runs small banks and credit unions, as close as one gets to automating Office Space

This piece is more of a hit piece against private equity companies than a substantiative article and completely ignores the fact that SolarWinds is a public company. The problem isn’t how they are funded. The problem is any lack of incentives to have any meaningful security program.

tfb February 4, 2021 4:07 PM


Wow. So the ‘applicant recruiting system’s [sic] were written to purposely exclude or blackball qualified Americans’. Of course they were. It’s all the fault of those nasty (brown) people, isn’t it? In just the same way that all these companies discriminate against male applicants, I expect, which is why the field is so dominated by women … oh no, wait.

SpaceLifeForm February 4, 2021 4:35 PM

@ Ken Thompson, Clive, ALL


“But they also degrade product quality by firing or disrespecting good workers”

This is what happens at companies that suck at the government IC teat.

Been there, done that. Got the T-shirts.

SpaceLifeForm February 4, 2021 5:00 PM

@ Fed.up, Clive, ALL

Most importantly we need to license tech companies in the USA.

No. Just absolutely no.

That is exactly wrong.

That is exactly what big money (fascists) would want. So they can squeeze out the small innovative companies.

Have you not been paying attention to the attacks on Section 230?

IrritatedJoe February 4, 2021 5:27 PM

Solution? Federal law that prevents outsourcing software outside of the US without either an extradition treaty, or outside of North America. Yes, I’m fully aware of what this would do to the use of FLOSS in corporations. At this point it’s painfully clear that A) we require labor laws that treat information technology workers favorably, B) we need the labor relations board to be given their balls back by Congress, who also needs to grow a pair, C) C-suite executives and upper management can no longer get away with decisions that cause a chain of circumstances where others are penalized while they are enriched. Direct consequences of actions need to be enforced and the corporate shield is not an appropriate criminal or civil defense.

I really don’t care if this sounds “socialist” or not. The status quo isn’t working. When the current system doesn’t work, change it.

SpaceLifeForm February 4, 2021 5:51 PM

@ IrritatedJoe, Clive

Need double kill.
Citizens United. Filibuster.

It will become clear soon, those whom are being blackmailed.

The best way to help those being blackmailed, is to get them out of their role. They have a choice. They can resign or look worse in court. They can choose their fate.

BoJo? Are you paying attention?

Fed.up February 4, 2021 6:01 PM


We license doctors, massage therapists and manicurists but it would stifle tech competition. Please explain how?

Yes, perhaps it would prevent another Theranos. What Matt Stoller doesn’t mention is where these Private Equity firms get their funding. It’s from Pension Funds and University Endowments. When Private Equity lose money investing in sketchy tech companies that shouldn’t ever exist, so they try to pull money out from their portfolio wherever they can. But Pension funds across the US are unfunded because they invest in these losing tech portfolios. 95% of startups fail. And they certainly do not deserve Pension fund investment..

There’s laws that disallow the Federal Gov and regulated private sector from doing business with non-public Private Equity backed tech companies because they are usually non-sustainable and lack the ability to comply with existing cyber laws. But this has as much to do with Sarbanes Oxley anti fraud laws as it does with Security. SolarWinds was public then went private and then went through mergers and acquisitions before going public again.

Just because a tech company is traded on a US stock exchange doesn’t make it American. Thus the NYSE has begun delisting them. And with the Robinhood fiasco you can bet that Sarbanes Oxley laws will be updated to include considerations about today’s dotcons.

Licensing technologists was Obama’s idea. It was in the original Rockefeller Snow Cybersecurity Act of 2010. Obama wanted every technologist working in the critical infrastructure private and public sector to go through a security clearance. That has begun happening with CMMC. There’s a fundamental law in the USA. If you do business with the US Gov you have to comply with the same procurement laws they do. So wring your hands all you want and call Obama a racist, but this was his bill and it is all coming to pass.

JonKnowsNothing February 4, 2021 6:50 PM

@Fed.up @All

re: We license doctors, massage therapists and manicurists but it would stifle tech competition. Please explain how?

Tacking on “licensing” is a gating mechanism to prevent too many providers flooding the market. It adds to the overhead costs of the person entering the market.

  • Advanced Education = k-12, BS/A 4, MS/A/B 2, PhD n+ == A lot of starting debt.
  • Certification Courses = a lot of 40hr continuing ed credits == continuing expenses
  • Board Licensing = special exams (aka SAT/GMAT types) and Organization Memberships + n-years of practice = on going expenses to recertify renew.

Licensing in the USA is governed by the States. To work in another State you must either pass that State’s Licensing Laws or go to a state were they have agreed to a Reciprocity Agreement for that license.

Without the agreement, you cannot practice in another area. Which means you may not be able to move to another job in your field if that job is in location that does not recognize your degree or licenses.

Licensing does nothing at all to guarantee the quality, security, caliber or truthfulness of the person licensed.

  • Plenty of licensed plumbers will tell you, that you need a new toilet tank when all you need is a $3 flapper.
  • Plenty of licensed contractors will tell you they can fix something for $X dollars and then charge you $Y.
  • Plenty of licensed mechanics will place a mechanics lean on your car when in for repairs and then “oh I forgot” to remove it after you pay.
  • Plenty of High Tech, Stock Market Traded Companies will sell you a crapton of expensive equipment that neither works for the business application as detailed in the RFP.
  • Plenty of those High Tech, Stock Market companies will trot around their PhDs with Patent Pending stamped on their foreheads as proof they have the goods.

A license doesn’t fix any of what needs fixing.

In some places Engineer does not mean Engineer unless you have a License that says so.

ht tps://

ht tps://
(url fractured to prevent autorun)

JonKnowsNothing February 4, 2021 7:02 PM

@Fed.up @All

re: Pension funds across the US are unfunded because they invest in these losing tech portfolios.

Pension funds in the USA are underfunded due to a change in Finance Laws both State and Federal that allowed these funds to Partially Fund their programs.

These funds used to be required to be Fully Funded with Cash Reserves. The change happened when Short Term Asset Raiding became popular with Wall Street.

The argument that was presented was:

  • Few people live long enough to collect their pension
  • Few people were fully vested in their pensions
  • Few people ever qualified at all for their pensions

A company could take the under-used cash and use it for (fill in the blank) and only fund the portion that was actually collected.

  • They did not fund the pensions for even the lower amounts claimed they needed.
  • They did not fund the pensions fully for the pensions already in use.
  • They took the money and ran it to Tax Havens.

Pension Roulette became a new Wall Street Game playing upon greed and ego-stroking that “Someone As Smart As YOU” could out fox “Someone Smarter”.

They are still working on full access to pensions globally. Disasters already in progress in many Neo-Liberal economies.

Fed.up February 4, 2021 8:38 PM


I should have said “security clearance”. Which means an exhaustive DHS background check and polygraph. This is what was in the bipartisan cyber bill in 2010

Security clearances confirm your experience, education and that you tell the truth. Security clearances are already required in some roles in the regulated private sector and are increasing in popularity.

Third Party Risk assessments are legally required of certain private sector industries and also the Federal Government. But it is a unicorn skill set that requires decades to master. It is not realistic to expect the private sector to be able to perform Third Party Risk assessments sufficiently when CISA wasn’t able to do it either. That’s what the Tech Exchange should do. And since there’s so few people in this world that can master performing third party risk assessments, it makes sense to centralize it. It would prevent a SolarWinds or a Theranos because it would also provide a mechanism for employees to file complaints. Today cybersecurity professional’s leave employers who won’t remediate vulnerabilities rather than risk their resume on an attack. Once your employer is attacked that’s career ending. Ask the guys at Equifax who went to jail. So having a NYSE type Exchange for Tech would mean that employees wouldn’t have to quit or be fired for identifying vulnerabilities.

It could be like FINRA, a national organization which licenses securities and compliance professionals. The Kitty guy in Massachusetts who ran up GameStop is licensed by FINRA. Usually people who want a career in financial services take FINRA regulations very seriously. Employers pay for the licensing. The private sector pays for Security Clearances too.

But we need Data Residency first and foremost. Every country has this law. Right now the US requires that some data cannot be exported, such as Tax and Government data. But it’s not achievable to protect just some data. It is all or nothing.

JonKnowsNothing February 4, 2021 9:54 PM

@Fed.up @All

re: Security Clearance in USA

I am sure a lot of people have them or want them, but when Silicon Valley companies that I worked for went Employee Shopping for someone who would like one in order to work on The Project… no one was even the slightest bit interested.

The only folks that want them are folks like Joshua Schulte; what a nice person to have as a co-worker. And there’s Ms Haspel. I’m very sure she got one too and is a great mentor. She learned from a Master. Running a torture prison takes a lot of security and looks good on the resume.

Security Clearance doesn’t mean jack as far as the type, design or ethics of the work you are doing. If it’s a SKR for those other guys in other departments that is AOK with US(A).

I don’t think the UK is having all that much luck with their Nerd Hiring advertising proposals.

ht tps://
ht tps://
(url fractured to prevent autorun)

JPA February 4, 2021 10:38 PM

This is the problem when acquiring wealth is the highest priority. Sarah Chayes – On Corruption in America is highly recommended.

Patriot February 4, 2021 10:38 PM

SolarWinds increased its profits by increasing its cybersecurity risk, and then transferred that risk to its customers without their knowledge or consent.

This synopsis of the problem is straight to the point. The American model of company and government interaction has been an epic fail for quite a long time. One could not imagine a Chinese company benefiting while doing tremendous damage to China. It is unimaginable. But in America, this kind of toxicity is now the name of the game.

The problem is the leadership. The leaders know how to increase their profits, and they will do what they can get away with. First get the money; later worry about the consequences.

We see this in many areas of the U.S. government, even the military. It does not matter whether the soldiers are trained or not (Tongo Tongo ambush–Green Berets running away from the fight). OPM, CIA. It does not matter if the data is exposed and some appalling hack takes place. There are many examples. Some of the most damaging come from the Puzzle Palace: it does not matter if the illegal collection makes a mockery of citizenship and desecrates the U.S. Constitution–as long as I get mine.

Sorry to say, the U.S. government can be incredibly stupid. Or is just the opposite the truth! Relying on contractors maximizes profits, which brings smiles and back slapping all round. But the trouble is that using contractors often leads to a clown show. The security disaster at Benghazi is a case in point. The “boutique” anti-terrorism effort that led to the tomfoolery and catastrophe was partly due to contracting itself. It diminishes responsibility and lengthens lines of communication, which is a weakness. So, what is the point? The point is that the leadership is AWOL. These failures like SolarWinds are the expression of a bureaucracy, a mechanism without leaders, with no one to hold responsible, a little machine that runs on its own and does not require character, insight, fortitude, virtue, pith, intellect, anything. It is just a complex set of costly instructions and mechanical actions whose goal is to make money for the people involved. The more expensive, the better. The more complex, the better. Once the money is had, the goal will have been achieved. From one point of view, SolarWinds, OPM, Vault7, the CIA hack, Benghazi, the wars in Iraq and Afghanistan, are not abject failures at all.

Patriot February 4, 2021 10:50 PM

It is amazing to watch this carnival unfold.

So, no one notices that the system is set up for failure and failing. One zillion dollars is spent, but networks are still vulnerable.

To my mind, there must be some folks who saw this coming. Prior to the OPM disaster, there were people who stuck their necks out and rang the alarm bell.

However, that massive CIA hack what compromised their sources and case officers globally ,for years, was not foreseen. It is utterly astonishing that these people can be that deeply asleep at the wheel.

At least the U.S. taxpayer is not paying much for protection. That, at least, should mollify anger about the country becoming a standing joke.

Patriot February 4, 2021 11:04 PM


Please keep it coming.


These powerful hacks can have devastating consequences because they enable deeper, more damaging attacks. Having collected so much information about people who work for Uncle Sam, the nation-state actors can leverage the information to find individuals that are willing to attack from the inside, or at least gain more information.

It has already been happening, and the consequences could be catastrophic if a war were to break out. What we are seeing is a boxing match in which the fighter in the red trunks is softening up the mystified, punch drunk loser.

name.withheld.for.obvious.reasons February 4, 2021 11:37 PM

@ SpaceLifeForm

Been there, done that. Got the T-shirts.

Me too, I even got some underwear to go along with the t-shirts.

Another round of WTF, the question is who didn’t see this coming…honestly.

Ismar February 5, 2021 4:45 AM

Very simple to prevent future incidents like this one – make Solarwinds accountable (financially) for their substandard security and send a strong message to other software development houses that with privilege comes responsibly.
In other words- regulate and enshrine in the law as much responsibility for the breaches at the software makers as possible.
If this was a piece of hardware- say a car with a substandard theft protection, the manufacturer would be forced to recall all of the affected cars at their own cost- why does ir have to be any different with computer security which has much bigger potential to harm the wider society?

md5 February 5, 2021 7:28 AM

The SolarWinds hack reminds me of the Ukraine hack ( In the sense that penetrating a platform (SolarWinds or Linkos in the Maersk/Ukraine case) that has foothold in the desired high-value target gives you the control of the whole nertwork of targets.

Sad to say that these platforms don’t normally enjoy the security budget/resources/scrutiny like some of their high-value clients do. Maybe the supply chain should be looked at as the same security perimeter, and clients should invest in the security of its supply chain.

Just my two cents.

Clive Robinson February 5, 2021 11:20 AM

@ Ismar,

why does ir have to be any different with computer security which has much bigger potential to harm the wider society?

The simple answer is,

“You do not own the software, you have only a lease with strings.”

Put on their terms, you pay them lots and lots of money, and in return you get poor functionality, poor service, gaging orders and next to no remedial rights, not even “fitness to market”.

And that’s the way they like it, and it’s the way the legislators who they pay-off / lobby like it as well. And they all follow Upton Sinclairs observation,

“It’s hard to get someone to understand your point of view, when their salary depends on them not understanding it…”

Ismar February 5, 2021 3:35 PM

@Clive- anti theft systems in cars are as much software as they are hardware as is the case with other car systems.
I think the problem arises when software becomes abstract (removed from hardware) enough to make it hard (at least for every day Joe) to realise that any damage can be made by (mis)using it.
It would appear that Our collective evolution has not caught up with this concept yet.

Paranoids February 5, 2021 7:30 PM


The same USDA division experiencing this breach is the division that handled the mysterious Chinese seeds packages received across the US.

Maybe if this wasn’t ACH theft then perhaps China was seeking intel to see if any employees took leaves. Maybe something was wrong with those seeds after all?

Of if it was ACH funds theft then maybe it is related to the Unemployment scams across the USA? If so someone needs to identify all of the vendors involved in the USDA Financial Management Modernization Initiative System (FMMI) which may still be underway. There’s 22 subcontractors involved in this original contract. Also the announcement above said it was “Rightshored” which Capgemini’s terms for offshoring.

Also there was that “MyPayrollHR” Michael Mann payroll fraud in 2019 where over $70 Million disappeared. From what I can see it hasn’t been solved how it was pulled off and where the money went. I always thought that ACH fraud was practice for a bigger future event. It was ACH fraud because they pulled money out of people’s bank accounts.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.