Thanks, Pat. That is a great article.
Now that I'm retired, some of that information is less important to me than it might have been, say, five years ago. The Navy Enterprise Data Center/New Orleans had about 1500 servers that were not classified and maybe another several hundred that were WERE classified. We were a hosting site for Navy projects and we were deploying Solar Winds / Orion at our site for about three years before I retired. I also know that at least two other Navy centers at that time were deploying Solar Winds packages, and it was scheduled for the Marine Corps site just outside of Kansas City. I know this must have hit the Navy like a ton of bricks.
The Orion team even tried to tie in data from OpenVMS servers that I ran, though there was no actual module that ran on my machines. But there were scripts they could run that would log in via certificate authentication to "ask questions" of my systems via one of the obscure protocols in the TCP family (NOT the UDP family). I know my old machines are no longer vulnerable because (among other things) they were shut down when the application switched to full-blown web services. But... the project overall would still be vulnerable because the web machines were just IIS or Apache systems with Orion running in the background.
I'm guessing that this attack came based on the old concept of "the sweeter the fruit, the greater its value." In essence, once Solar Winds got the military contract, they put targets on their backs. The value of THAT particular fruit was one that no military cyber team could pass up.
In a way, it was why OpenVMS servers were darned near invulnerable. First , nobody has EVER cracked an OpenVMS from the outside, and the Solar Winds products didn't actually run binary code images. But there weren't that many VMS boxes when compared to Windows or LINUX servers, so their low market share made them of limited value, even though at the time the OpenVMS machines we had essentially ran the management side of the U.S. Navy Reserve. And I can say that without fear of security violations because the machines were retired when they switched to web services.
I'm going to GUESS that when I retired, counting the sites I knew about, at least 5000 servers at various locations and of various classifications would have been affected if the hack had happened at that time. Now, several years later, I have NO CLUE as to how many were affected, but we are talking national scope and probably several branches, not just Navy/Marine Corps. If you said to me that 20,000 military machines were affected, I couldn't confirm it but I wouldn't doubt it.