The 10 Most Controversial Companies Of 2020

The global pandemic forever changed the technology landscape in 2020, but it was one security breach after another that grabbed the biggest headlines of the year. Here’s our list of the top 10 most controversial companies of the year.

Security Breaches, Chip Wars And Channel Conflict

Staying ahead of the increasingly sophisticated attacks of cyberterrorists proved to be every bit as difficult as dealing with the day-to-day fallout from the global COVID-19 pandemic for companies in 2020.

The year featured one of the top network monitoring tool makers in the world and an MSP stalwart as the linchpin in what will ultimately be remembered as one of the most infamous cybersecurity breaches in the history of computing. That blockbuster breach also ensnared a software giant that invests more than $1 billion a year on security as well as other high-tech powerhouses.

The nation state attack reverberated throughout the industry as the year came to a close with security fear, uncertainty and doubt pervasive going into the new year. The SolarWinds-based attack was just one of a number of high-profile attacks that put companies on the controversial list, including a CRN Solution Provider 500 powerhouse that reported a Maze ransomware attack that resulted in a $50 million to $70 million revenue and margin hit.

The list of controversial companies also included a chip behemoth challenged by a hedge fund, a software channel stalwart grappling with channel conflict, and a hyperconverged highflier that chose a new CEO and was hit with a lawsuit from his former company.

Get more of CRN’s 2020 tech year in review.

10. ConnectWise: MSP Partners Hit By Ransomware Via ConnectWise Automate

In a sign of the times with MSP platform and software tool providers being used as an entry point in sophisticated attacks, ConnectWise confirmed in June that a vulnerability in ConnectWise Automate was successfully used against some of the 20,000 partners on its platform.

Multiple ConnectWise partners told CRN that their customers were hit with ransomware through the software flaw.

“We have confirmed that a small number of partners have been compromised,” ConnectWise told CRN at the time. “We are communicating with each of them to determine the nature and severity of the impact. We are also actively communicating with our on-premises partners who have not yet installed the hot fixes and walking them through the steps to do so.”

ConnectWise closed out the year by doubling down on stepped-up security with the acquisition of two cybersecurity firms—Perch Security and StratoZen—in a bid to shield its MSP partners from the cybercriminals who target them and their customers.

The purchase of Perch Security, first reported by CRN in early November, and StratoZen were unveiled at the opening of ConnectWise’s annual partner conference, IT Nation Connect. Perch Security is a Tampa, Fla.-based company that two years ago received $9 million in funding from ConnectWise. StratoZen is a SOC-as-a-Service, SIEM-as-a-Service company based in Salt Lake City, with 23 employees that process “over 20 billion security events every day,” ConnectWise said in a fact sheet.

Gavin Stone, chief technology officer at Impact Computing & Consulting, an MSP in Preston, U.K., said he is cautiously optimistic about the deals for Perch Security and StratoZen.

“The Perch and StratoZen acquisitions show that ConnectWise is genuinely serious about improving both their security offerings and their overall security posture. They have a lot of work to do to ensure that the elements that make those companies unique are not lost while being part of a larger corporate structure,” Stone said.

9. DXC: Multiple Customers Hit By Ransomware Ripple Effect

Multiple customers of systems integration behemoth DXC were grappling with downed systems in July following a ransomware attack against a part of DXC that sells insurance industry software.

DXC took “containment” measures to ensure the virus did not spread beyond the subsidiary.

“The company has implemented a series of containment and remediation measures to resolve this situation,” the Tyson, Va.-based business process outsourcing company said in a statement. “DXC is actively working with affected customers to restore access to their operating environment as quickly as possible. DXC is also engaging with law enforcement and appropriate cyber agencies.”

The attack targeted “certain systems” of Xchanging, an insurance managed services business, which DXC said operates on a stand-alone basis. DXC said it is “confident” that the ransomware was isolated to this business and did not infect other systems.

Xchanging is an Australia-based business that focuses on insurance industry software, according to the subsidiary’s website.

“Xchanging has concentrated on the systems and processes that are common to all forms of insurance change,” according to the company’s website. “Instead of repeating the mistakes made in the past, we have developed the world-class Xuber Insurance Software to enable the future. Based on our own proprietary platform, we have refined the building blocks of any insurance software product.”

The DXC Xchanging breach is just one more sign that the “No. 1 issue” facing MSPs is the growing number of breaches that are wreaking havoc on them and their customers, said David Powell, a longtime MSP who this year became senior vice president of sales for up-and-coming MSP security provider Perch Security, which is now part of ConnectWise.

“This is absolutely the No. 1 issue facing the channel,” said Powell, who in June joined Perch from MSP superstar Corsica Technologies. “MSPs are not taking this security issue seriously enough and as a result they are leaving their customers open to the downside risk of a breach.”

Powell said at the time that he was not surprised by the news of yet another MSP being hit by bad actors who have become experts at using MSP tools to breach MSP customers.

8. Conduent: Another Maze Ransomware Victim

Business process outsourcing superpower Conduent said its European operations were hit with ransomware, which two security companies said led to the leak of internal company documents on the web.

Ransomware buster Emsisoft, as well as threat intelligence firm Bad Packets, said Conduent appeared to have been struck by Maze ransomware. Maze is the same brand of ransomware that hit Cognizant in April during in a high-profile attack that locked some employees out of the company’s email systems, just as Cognizant was moving employees to remote work.

In the Conduent attack, Maze hackers appeared to have published two Zip files that New Zealand-based Emsisoft security analyst Brett Callow said contained documents related to the company’s work in Germany. The files were released on a site that publicizes Maze attacks.

“I see a file for Vodafone Deutschland,” he told CRN. “These groups typically start by posting the older and less sensitive data served. If they were to post the ‘crown jewels,’ so to speak, the company would have less incentive to pay for the remaining data being published.”

Conduent released a statement confirming the attack happened on May 29. The statement said it lasted about nine hours before its systems were back online.

“Conduent’s European operations experienced a service interruption on Friday, May 29, 2020,” the statement read. “Our system identified ransomware, which was then addressed by our cybersecurity protocols. This interruption began at 12.45 AM CET on May 29th with systems mostly back in production again by 10.00 AM CET that morning, and all systems have since then been restored. This resulted in a partial interruption to the services that we provide to some clients. As our investigation continues, we have ongoing internal and external security forensics and anti-virus teams reviewing and monitoring our European infrastructure.”

7. Tyler Technologies: Ransomware Attack Takes Down Its Phone Lines, Website For Number Of Days

Tyler Technologies, No. 46 on the 2019 CRN Solution Provider 500, became yet another channel victim of a high-profile ransomware attack on Sept. 23 that took down the company’s phone lines and website for a number of days.

Tyler Technologies said the ransomware attack on the company’s network ultimately caused a $4 million hit to sales, but it does appear that Tyler was able to keep the malware out of its other systems, CEO H. Lynn Moore told investors in a November earnings call.

“The security incident did impact our ability to deliver licenses and services during late September and into October,” Moore said. “We currently estimate the impact to revenue was approximately $1.5 million in the third quarter and $2.5 million in the fourth quarter. We maintained cybersecurity insurance coverage in amount that we believe is adequate.”

The Plano, Texas-based solution provider has more than 15,000 state, local and federal government customers that use its billing and data management solutions throughout the U.S. and around the world.

“There has been no evidence of compromise in the separate and segregated environments where we host software for our clients,” Moore said. “And to date, there has been no evidence of malicious activity on client self-hosted systems related to this incident. From day one, we have been regularly communicating with our client community and have actively maintained an incident response page on our website. We encourage you to check for updates there as well.”

6. VMware: Hit By Charges Of Channel Conflict On VMware Cloud On AWS

Channel stalwart VMware was hit with charges of channel conflict in the wake of partner complaints that VMware cloud partner Amazon Web Services was swooping in to snatch VMware Cloud on AWS deals that were initiated and nurtured by some of VMware’s top partners.

Partners told CRN that AWS was swooping in at the last minute on large enterprise deals, usually north of $1 million, driving up the cost of sales for partners who end up with nothing to show for their VMware cloud migration sales efforts.

One of VMware’s top solution providers told CRN the company found itself out literally thousands of dollars in high-level architectural consulting costs with countless man-hours wasted on a deal that disappeared at the last minute into the hands of AWS.

The conflict hit a fever pitch during the year with VMware partners wondering if they should stop pursuing huge VMware Cloud on AWS deals because of the channel conflict. Partners demanded that VMware and AWS clearly define rules of engagement and how they should compete when AWS allows customers to burn EDP credits when buying VMware Cloud on AWS, which can drastically lower the customer’s bill.

In a statement to CRN, VMware said it recognizes there have been “some challenges for partners” around selling VMware Cloud on AWS.

“There are partners who are working very successfully with both VMware and AWS teams, and many of those partners are seeing their wins, opportunities and pipeline grow. At the same time, we do recognize there have been some challenges for partners, which we are working directly with AWS to address,” VMware said in the statement.

In October, VMware’s new global channel chief, Sandy Hogan, said the company is taking steps to solve any channel conflicts that arise between channel partners and AWS when selling its popular VMware Cloud on AWS offering.

Hogan, who joined VMware in May as senior vice president of worldwide commercial and partner sales, told CRN that VMware has already taken measures to combat the channel issues head on.

“It’s about creating better alignment in these teaming agreements that are established between VMware, AWS and the partner,” said Hogan in an interview with CRN. “That sets up the co-selling up front and the rules of engagement and the outcomes out of that. So that also creates a form of protection for the partners in how they’re actually going to jointly sell [VMware Cloud on AWS] and the rules and responsibilities going into that teaming agreement.”

5. Nutanix: Sued By Rival VMware After Hiring Former VMware COO As New CEO

Just 19 days after Nutanix said on Dec. 9 that it had hired former COO Rajiv Ramaswami as its new CEO, Nutanix rival VMware fired back, filing a lawsuit in Superior Court of the State of California, County of Santa Clara, charging Ramaswami with “material and ongoing breaches of his legal and contractual duties and obligations to VMware.”

“Rajiv Ramaswami failed to honor his fiduciary and contractual obligations to VMware,” said VMware. “For at least two months before resigning from the company, at the same time he was working with senior leadership to shape VMware’s key strategic vision and direction, Mr. Ramaswami also was secretly meeting with at least the CEO, CFO, and apparently the entire Board of Directors of Nutanix, Inc. to become Nutanix’s Chief Executive Officer. He joined Nutanix as its CEO only two days after leaving VMware.”

VMware claimed that Ramaswami demonstrated “poor judgement and had a clear and extended period of conflict of interest. He should have disclosed this conflict of interest to VMware so that the company could have taken steps to protect itself,” said VMware. “But he did not notify VMware, and thus deprived the company of the ability to do so by concealing his Nutanix-related activities.”

VMware said it tried to resolve the matter without litigation, but “Mr. Ramaswami and Nutanix refused to engage with VMware in a satisfactory manner.”

“VMware spends billions of dollars on its roadm ap and R&D to bring market innovations to our customers and is committed to protecting our brand, the technological innovations behind our brand, and the value we bring to our customers,” said VMware.

Nutanix, for its part, called VMware’s lawsuit a means to make “interviewing for a new job wrongful. We view VMware’s misguided action as a response to losing a deeply valued and respected member of its leadership team.”

Nutanix countered that Ramaswami and Nutanix have “gone above and beyond to be proactive and cooperative” with VMware.

“Nutanix and Mr. Ramaswami assured VMware that Mr. Ramaswami agreed with his obligation not to take or misuse confidential information, and VMware does not contend otherwise,” said Nutanix. “However, VMware requested that Mr. Ramaswami agree to limit the ordinary performance of his job duties in a manner that would equate to an illegal non-compete covenant, and it requested that Nutanix agree not to hire candidates from VMware in a manner that Nutanix believes would be contrary to the federal antitrust laws.”

The Nutanix CEO controversy came after founder and CEO Dheeraj Pandey retired from the company he co-founded 11 years ago and built into a $1.6 billion software powerhouse.

The changing of the guard—which “shocked” Nutanix partners—came in the wake of a $750 million investment from Bain Capital Private Equity.

“Co-founding and leading Nutanix for the last 11 years has been the single most rewarding experience of my professional career. Guided by a vision of making IT infrastructure so simple that it becomes invisible, our team has built Nutanix into a leader in cloud software and a pioneer in hybrid cloud infrastructure solutions,“ said Pandey in a statement on Aug. 27 . ”I am confident there is no better time for me to make this transition to a new leader who can guide Nutanix through its next decade of growth and success.”

4. Intel: Hit By Hedge Fund Challenge, Microsoft And Apple Chip Plans

New York-based hedge fund Third Point took direct aim at chip giant Intel’s status quo by taking a significant stake in the company and then calling on the board of directors to explore selling manufacturing operations and “failed acquisitions” to combat what it called declining market share and customers making their own chips.

Third Point urged Santa Clara, Calif.-based Intel to hire an investment adviser to consider the measures, among other “strategic alternatives,” in a letter to Omar Ishrak, chairman of Intel’s board. The letter, written by Third Point CEO and founder Daniel S. Loeb, said the firm plans to acquire more Intel shares. Loeb said Third Point would consider submitting nominees for Intel’s board at the 2021 annual meeting if the company expresses “reluctance” to consider the firm’s recommendations.

Loeb said his firm is calling for these changes as Intel’s shares have “dramatically underperformed” in comparison to its peers, losing more than “$60 billion of market capitalization over the past year alone.”

The Intel market capitalization hit came in the face of chip manufacturers TSMC in Taiwan and Samsung in South Korea moving to 5-nanometer processes this year—enabling them to create denser, more efficient computer chips—while Intel “has been stuck at its 14nm node since 2013” and will be “several years behind its Asian peers” until at least 2025 with its recent 7nm issues, according to Loeb.

In the letter, which Third Point provided to CRN, Loeb called for Intel to explore whether it “should remain an integrated device manufacturer and the potential divestment of certain failed acquisitions.” Citing unnamed sources, Reuters reported that the changes could include separating Intel’s chip design operations from manufacturing.

The hedge fund executive in the letter also said Third Point would like to discuss privately “other specific issues” and is confident its “specific recommendations” will be welcomed by the board and other shareholders.

Intel, in a brief statement posted to its website, said it “welcomes input from all investors regarding enhanced shareholder value.” The company added: “In that spirit, we look forward to engaging with Third Point LLC on their ideas towards that goal.”

The Dec. 29 Third Point challenge came just 11 days after longtime Wintel partner Microsoft confirmed it was making a move away from Intel with a plan to design Arm-based chips for Azure servers and some Microsoft Surface systems. The Microsoft revelation came just weeks after Apple began shipping its new M1 powered systems, displacing Intel chips in some Apple systems.

The manufacturing gains made by TSMC and Samsung have allowed fabless semiconductor companies AMD and Nvidia to gain market share and dominate the nascent AI training model market, respectively, Loeb said.

At the same time, major Intel customers like Apple, Microsoft and Amazon have begun developing their own chips, which are then manufactured in East Asia, Loeb added. To retain customers shifting to in-house chip designs, Loeb said Intel must offer them “independent solutions” that will keep manufacturing stateside.

“Without immediate change at Intel, we fear that America’s access to leading-edge semiconductor supply will erode, forcing the U.S. to rely more heavily on a geopolitically unstable East Asia to power everything from PCs to data centers to critical infrastructure and more,” Loeb wrote.

Intel also faces increased competition as a result of blockbuster acquisitions made by rivals, specifically Nvidia’s acquisition of chip designer Arm for $40 billion and AMD’s $35 billion acquisition of programmable chip maker Xilinx.

AMD President and CEO Lisa Su in a CRN cover story called the channel an “incredibly important part” of the chipmaker’s strategy, setting in motion a plan to double market development funds, channel staff and funded positions for top solution provider partners. “I think the channel is just a big opportunity for us. It’s really a matter of ensuring that as we scale as a company, we put resources into the channel to support all of the activities there, and I’m very excited about the possibilities,” she said.

3. Cognizant: High-Profile Maze Ransomware Victim

Cognizant, No. 6 on the 2020 CRN Solution Provider 500, in a statement on April 18 revealed that it had been hit by the Maze ransomware virus, locking up its own internal systems and hitting some of its customers.

The company said it had deployed its own internal security along with “leading cyber defense firms” in an effort to “contain this incident.”

“Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack,” the company said.

“Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident. Cognizant has also engaged with the appropriate law enforcement authorities,” the statement continued.

The company said it is in ongoing communication with customers and has provided it with indicators of compromise and “technical information of a defensive nature.”

CRN was the first to report that some Cognizant employees lost email access as a result of the ransomware, forcing them to communicate with co-workers and customers through other means. By May 7, Cognizant was saying that it had fully recovered from the ransomware infection and restored most of its services. The incident only impacted Cognizant’s internal network and not customer systems, the company said.

The revenue and margin impact of the ransomware attack isexpected to be in the range of $50 million to $70 million in the second quarter of 2020, Cognizant said May 7. The company said it expects to incur additional legal and consulting costs tied to the investigation, service restoration and remediation of the ransomware attack.

“Nobody wants to be dealt with a ransomware attack. I personally don’t believe anybody is truly impervious to it, but the difference is how you manage it. And we tried to manage it professionally and maturely,’ Cognizant CEO Brian Humphries told analysts on a call in May.

2. Microsoft: Ensnared In Colossal Nation State Cybersecurity Breach

Microsoft—which has boasted that it spends over $1 billion a year on cybersecurity—became ensnared in the colossal U.S. government attack that leveraged the SolarWinds Orion platform.

Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN on Dec. 17 that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had “detected malicious SolarWinds binaries” in its environment.”

Then on Dec. 21, The New York Times reported that the SolarWinds hackers had seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership. The Treasury Department breach came to light from Microsoft, which the Times said runs much of the department’s communications software.

Once the suspected Russian hackers used a malicious update to SolarWinds’ Orion network monitoring platform to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network, Sen. Ron Wyden (D-Ore.) told the Times.

That tricked the system into thinking the hackers were legitimate users, meaning the hackers were able to sign on without having to guess user names and passwords, according to the Times. Microsoft said that it fixed the flaw the Russians were exploiting, but that didn’t address whether the hackers had used their access to bore through other channels into either the Treasury Department or other systems, the Times reported.

As the year came to a close, Microsoft disclosed in a Dec. 31 blog post that the suspected Russian government hackers’ presence in its environment went beyond the software giant simply downloading malicious SolarWinds Orion code.

“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories,” the Microsoft Security Response Center wrote in a blog post.

The compromised Microsoft account didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, according to the company. Microsoft said it investigated and remediated the internal accounts with unusual activity.

Microsoft’s announcement that hackers were able to view its source code came a week after CrowdStrike said hackers believed to be with the Russian foreign intelligence service unsuccessfully attempted to hack the endpoint security firm via a Microsoft reseller’s Azure account. The reseller’s Azure account was used for managing CrowdStrike’s Microsoft Office licenses, and the hackers failed in their attempt to read the company’s email, CrowdStrike said.

Microsoft told CRN Dec. 24 that if a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant. The abuse of access would not be a compromise of Microsoft’s services themselves, according to the company.

Office 365 has been a key escalation vector for the hackers, who Reuters said on Dec. 13 had for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software. The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls, according to Reuters, citing a person familiar with the incident.

On Dec. 14, SolarWinds said it was aware of an attack vector used to compromise the company’s Microsoft Office 365 emails that may have also provided access to other data contained in the company’s office productivity tools. SolarWinds said it’s investigating with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.

Microsoft’s Security Research Center conceded that the hackers were able to forge a token that claims to represent a highly privileged account in Azure Active Directory (AD). The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multifactor authentication.

“Having gained a significant foothold in the on-premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access,” the Microsoft Security Research Center wrote.

The hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.

Ultimately, more than 40 Microsoft customers were precisely targeted and compromised through trojanized updates to SolarWinds’ Orion network monitoring platform, according to Microsoft President Brad Smith.

The Redmond, Wash.-based software giant said that roughly 80 percent of its compromised customers are located in the U.S., with the remainder based in Canada, Mexico, Belgium, Spain, the U.K., Israel and the United Arab Emirates, Smith wrote in a blog. The malicious Orion updates reached organizations in many major national capitals outside Russia, according to Smith.

“The latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms,” Smith wrote in the blog post. “It illuminates the ways the cybersecurity landscape continues to evolve and become even more dangerous.”

Contrary to public perception, Smith said a decisive plurality—44 percent—of the Microsoft customers compromised through SolarWinds are actually in the IT sector, and include software and security firms as well as IT services and equipment providers. The telemetry comes from Microsoft’s Defender Anti-Virus software, which spots Defender clients who also installed versions of Orion containing malware.

1. SolarWinds: Linchpin In One Of The Most Infamous Breaches In Computing History

SolarWinds—one of the top MSP platform providers and a renowned maker of enterprise IT monitoring tools—has emerged as the linchpin in what will ultimately be remembered as one of the most infamous cybersecurity breaches in the history of computing.

The highly sophisticated nation state attack by Russia used SolarWinds’ Orion network monitoring product to gain access to systems used by some of the top government agencies and corporations.

Security vendor FireEye was the first to reveal the attack on Dec. 8, disclosing that the attacker was able to access some of FireEye’s internal systems.

So just how bad was the Orion hack heard round the world? The U.S. government Cybersecurity and Infrastructure Security Agency (CISA) said the breach posed a “grave risk” to the federal, state, local and territorial government as well as private sector organizations.

In fact, the hackers gained access to top government agencies including Homeland Security and leading technology companies including Cisco Systems, VMware, Intel and Nvidia.

As the scope of the breach became apparent, an emergency directive issued by the U.S. government called on all federal civilian agencies to disconnect or power down SolarWinds Orion IT management tools because they were being used to facilitate an active exploit.

SolarWinds itself said customers should upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible to ensure their environment is safe.

The company maintained its managed services tools appear to be uncompromised, as the company said it isn’t aware of any impact to its RMM, N-Central and SolarWinds MSP products. That did not stop the fear and doubt gripping MSPs concerned about a ripple effect.

MSP highflier Datto stepped up and created a free scanner for MSPs that can search their networks for signs of the Red Team hacking tools stolen from FireEye after they were breached via SolarWinds.

FireEye CEO Kevin Mandia said Dec. 20 that only 50 of the 18,000 organizations that installed malicious SolarWinds Orion code into their network were “genuinely impacted” by the campaign. But a Jan. 2 report from The New York Times said it now appears that upward of 250 federal agencies and businesses were affected following deeper examinations from public cloud providers like Amazon and Microsoft.

Microsoft President Brad Smith, meanwhile, said that just over 40 of the company’s customers were precisely targeted and compromised through trojanized Orion updates.

From tech giants, internet service providers and IT solution providers to federal agencies and county governments, CRN took a look at 24 victims of the colossal SolarWinds hack that have been publicly identified so far.

The victims include five solution providers—Deloitte, Stratus Networks, Digital Sense, ITPS and Netdecisions—which were breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise, according to a cybersecurity consultancy. Digital Sense told CRN it wasn’t impacted by the campaign since the company doesn’t use SolarWinds.

Sweden-based Truesec analyzed the malware—as well as historical network data—to determine which companies were explicitly selected by the SolarWinds hackers for further activities, meaning that additional internal compromise could have taken place. Nearly 18,000 firms were compromised via SolarWinds Orion, but many fewer were targeted in the attack’s second stage.

“The impact of this attack is likely to be of gigantic proportions,” Fabio Viggiani, technical lead for the Truesec security team, wrote in a blog post. “The full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”