Microsoft identifies second hacking group affecting SolarWinds software

The discovery underscores the extent to which SolarWinds, whose customers include Fortune 500 companies, is a valuable target for hackers.
SolarWinds logo, photo illustration
(Photo illustration / Scoop News Group)

Microsoft revealed that a second hacking group had deployed malicious code that affects software made by SolarWinds, the federal contractor at the center of a suspected Russian espionage campaign against multiple U.S. government agencies.

“[T]he investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,” a Microsoft research team said in a blog post on Friday.

The discovery underscores the extent to which Texas-based SolarWinds, whose software is used throughout Fortune 500 companies, is a valuable target for hackers.

The newly revealed malware, known to researchers as Supernova, differs from the alleged Russian tampering because it does not appear to involve a compromise of the supply chain, Microsoft said. The Supernova code does, however, allow an attacker to send and execute a malicious program on the victim’s device, Microsoft said.


While Russian hackers are suspected in the compromise of the Orion software updates, it is unclear who is responsible for the additional malware discovered by Microsoft. A spokesperson for Microsoft declined to comment.

Researchers from cybersecurity firm Palo Alto Networks described Supernova as using “in-memory execution,” meaning the malicious code is loaded within a computer’s memory rather than on its disk. This suggests the code is designed to evade certain cybersecurity software that covers more external parts of a computer.

U.S. lawmakers have announced investigations into the alleged Russian supply-chain compromise of SolarWinds, and victims are still coming forward.

Treasury Secretary Steven Mnuchin confirmed on Monday that his department had been breached via “third-party software.” Treasury had stayed quiet compared to some other government agencies that acknowledged they had been hit. Mnuchin said on CNBC that the hackers didn’t break in to the department’s classified systems, a subject that drew interest from Capitol Hill.

Moscow has denied involvement in the hacking campaign.


Any investigation into the second hacking group that targeted SolarWinds software will likely be overshadowed by the probe into alleged Russian espionage. But in the meantime, security researchers have a new lead to explore.

Tim Starks contributed reporting.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts