The hack of the U.S. Treasury and Commerce Departments, first reported Sunday to involve Russian state-sponsored hackers, today was officially attributed to the compromise of software from SolarWinds Worldwide LLC.

As previously reported by SiliconANGLE, SolarWinds software is used by large parts of the U.S. government including the U.S. military, the Pentagon, the State Department, the Justice Department, the National Aeronautics and Space Administration, the Executive Office of the President and the National Security Agency.

SolarWinds provided more details on the hack, saying that up to 18,000 of its customers downloaded a “compromised software update” that allowed hackers to spy unnoticed on businesses and agencies for nine months. Previously, SolarWinds said that its monitoring products released in March and June may have been tampered with — as long as nine months ago.

Although large parts of the U.S. government getting hacked is bad, SolarWinds has complied with the California Consumer Privacy Act, releasing a formal advisory stating that its “systems experienced a highly sophisticated, manual supply chain attack.”

Mark Carrigan, chief operating officer at PAS Global LLC, told SiliconANGLE that given the massive global scale of installations, the stakes are high with the SolarWinds hack. “Many of these installations are across highly sensitive industrial operations where network visibility is traditionally weaker,” he said. “In fact, just today the ESCC, whose members include some of the largest U.S. power utility companies, gathered to discuss the emerging threat and how to respond.”

He added that organizations across every industry must react by first identifying where SolarWinds software is installed across their environments. “From there, they must further hone in on their inventory by determining the versions that are running to evaluate the vulnerability risk that may or may not be present,” he said. “Without doing so, these risks get scaled in tandem with the vulnerabilities, and from the industrial perspective, this jeopardizes critical functions that impact everyday life.”

Brandon Hoffman, chief information security officer at cybersecurity firm Netenrich Inc., noted that a link to the FireEye hack early this month might be a coincidence but nothing more.

“It’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce Department,” Hoffman said. “However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat was coined to describe an attack just like this.”

The key takeaway, while the damage is being examined, is to determine if the organization is at risk, Hoffman added. “For any customer of SolarWinds Orion, it is worth digging as deep as possible to understand the implications,” he said.

Image: SolarWinds