3rd Party Risk Management , Application Security , Breach Notification

Autodesk Says Company Was Targeted by SolarWinds Attackers

Russian-Linked Group Targeted Software Design Firm And Other Tech Companies
Autodesk Says Company Was Targeted by SolarWinds Attackers
Source: Autodesk

Autodesk, a California-based design software and 3D technology firm, is now acknowledging that it was one of several tech and security companies targeted by a Russian-linked group that carried out the supply chain attack against SolarWinds, according to a financial filing with the U.S. Securities and Exchange Commission.

See Also: Splunk Named a 10-Time Leader in Gartner® Magic Quadrant™ for SIEM

In a 10-Q filing with the SEC, Autodesk notes that its security team discovered a compromised server that appears to have been targeted by the alleged Russian group that carried out the supply chain attack against SolarWinds that was first uncovered in December 2020. In April, the Biden administration attributed the attacks to the Russian Foreign Intelligence Service, or SVR.

"We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents," according to the company's SEC filing. "While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations."

An Autodesk spokesperson tells Information Security Media Group that the company's security team discovered the compromised server on Dec. 13, 2020, and that the system was internal-facing and not connected to any of its customers' networks.

The day that Autodesk discovered the compromised server is the same day that security firm FireEye announced that it was tracking a supply chain attack that had compromised SolarWinds, which then allowed the attackers to target that company's customers using a backdoor called Sunburst.

The Autodesk spokesperson did not say what specifically alerted the company to check its servers. Once the firm did investigate, however, its security team began to mitigate the compromise to its network.

"Soon after identification, the server was isolated, logs were collected for forensic analysis and the software patch was applied," the spokesperson says. "Autodesk's security team has concluded their investigation and observed no malicious activity beyond the initial software installation."

And while the SolarWinds attackers may have managed to plant the Sunburst backdoor within an Autodesk server, it's not clear if the group meant to target this particular company, says Jake Williams, a former member of the U.S. National Security Agency's elite hacking team."

"The filing describes the Orion server as 'compromised,' which suggests some post-exploitation activity or follow-on operations occurred. However, the filing also describes the SolarWinds Orion backdoors as 'vulnerabilities.' There is no mention of incident response or remediation activities that would be expected if threat actors conducted follow-on activities," says Williams, who is now the CTO at BreachQuest.


Autodesk is one of several dozen technology and security firms that appear to have been targeted by the group that carried out the SolarWinds attack.

The ongoing investigation has found the supply chain attack that originally targeted SolarWinds led to follow-on attacks that affected about 100 companies and at least nine federal agencies (see: Federal Agencies Struggling With Supply Chain Security).

From what investigators have been able to uncover to date, it appears that the Russian-linked attackers managed to get inside SolarWinds' build environment and place a backdoor - later dubbed Sunburst - into the system, which was then wrapped into the company's legitimate Orion network management software without detection.

This Trojanized update was later distributed to as many as 18,000 of the company's customers. This then led to follow-on attacks on about 100 companies and nine government agencies that used SolarWinds' software. Some of the targeted tech firms included Belkin, Cisco, Intel, Nvidia and VMware. Security companies such as Mimecast were also victimized (see: Mimecast Confirms SolarWinds Hackers Breached Company).

The cyberespionage campaign appears to have gone undetected throughout most of 2020, until FireEye came forward on Dec. 8, saying its red-team tools had been stolen. After that announcement, the intrusion was traced to the backdoored Orion software.

At the RSA Conference in May, SolarWinds CEO Sudhakar Ramakrishna noted that further investigations by his company had revealed that the attackers may have started their reconnaissance activity in January 2019.

Ongoing Investigation

The investigation into the supply chain attack that targeted SolarWinds remains ongoing by several federal agencies and, over the past nine months, other details about what happened and the organizations that were compromised have trickled out.

In July, for example, the U.S. Justice Department released an update that found the supply chain attack compromised at least one email account at 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020 (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).

This part of the attack targeted the Microsoft Office 365 accounts belonging to Justice Department employees. The attackers were able to access all email communications as well as message attachments, according to the July update.

The Justice Department first acknowledged that it had been targeted by the SolarWinds attackers on Dec. 24, 2020. Besides the DOJ, the U.S. Treasury, Commerce, State, Energy and Homeland Security departments were all targeted by the SolarWinds attackers.

Following the first disclosures of the incident, lawmakers in Congress began drafting new legislation that would require both government agencies and businesses to provide mandatory disclosures within a certain time frame when these types of large-scale incidents occur. On Wednesday, a House subcommittee began debating one of these bills, which would require a victimized organization to disclose an incident to the U.S. Cybersecurity and Infrastructure Security Agency within 72 hours of discovery (see: House Debates Breach Notification Measure).

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the GovInfoSecurity.com media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.