Company CEO sheds light on high-profile breach at RSA Conference 2021
The nation-state attackers behind the SolarWinds supply chain attack could have gained access to the company nine months before it has been previously reported.
This is according to the CEO of the company, who last night (May 19) shed light on what happened in the run up to the high-profile attack.
Headlines were dominated earlier this year by the news that a backdoor in software updates distributed by the IT management and monitoring platform had been used to gain access to SolarWinds’ clients.
The vulnerabilities in its Orion software enabled attackers to compromise the accounts of customers including Microsoft, many US government agencies, and cybersecurity firm FireEye.
Speaking during a fireside chat at the RSA Conference 2021, SolarWinds CEO Sudhakar Ramakrishna said that new evidence suggests the malicious actors first targeted the software as early as January 2019.
Early access
Official statements have until now stated that the attackers gained access to SolarWinds’ systems in September 2019 at the earliest, however Ramakrishna explained that there was evidence of “early recon activities” as far back as the start of that year.
“What we have found recently is that attackers may have been in our environment as early as January 2019,” Ramakrishna told Laura Koetzle, vice president and group director at Forrester Research, during the chat.
Ramakrishna, who took over the post in January 2021, said he was first made aware of the backdoor in December 2020, a month before he joined the company.
FireEye, the first to publicly report the attack, said that threat actors accessed Orion users’ networks via a trojan injected into software updates.
The unknown actors, who evaded detection from both SolarWinds and its clients for months, were able to steal files and data from victims, including source code taken from Microsoft.
Ramakrishna described the attacks as “extremely well done and extremely sophisticated, where they did everything possible to hide in plain sight”.
“We were looking for all the usual clues,” the CEO added. “When you go through an investigation, you have a checklist, you have a set of hypotheses, you try to map things.
“And in this particular case, given the amount of time they spent, and given the deliberateness they had in their efforts, they were able to cover their fingerprints, cover their tracks, at every step of the way.”
READ Who is behind APT29? What we know about this nation-state cybercrime group
Ramakrishna said that the incident was made more difficult “given the resources of a nation state” – in this case, the attack is blamed on APT29 – or ‘Cozy Bear’ – a group linked by threat intel experts to Russia’s foreign intelligence service (SVR).
SolarWinds was eventually able to pinpoint exactly what the attackers achieved by assessing hundreds of terabytes of data and thousands of build systems.
‘All hands on deck’
Ramakrishna explained that there was a security incident response team in place even before the exploitation of the backdoor, but that the incident “escalated the significance” of that team and required the company to take an “all hands on deck” approach.
This required even the CEO to speaking to customers and find out their concerns, which Ramakrishna said was mainly how it would affect them.
“What started off as a reactive measure, we [then] started learning about the incident, we started addressing issues, and one of the foundations of what we’ve been trying to do is transparency as we enhance the trust that we have with our customers.
“Specifically, we also worked with our worldwide partners and created a program called the Orion Assistant Program.”
The idea behind the free-of-extra-cost program, which is funded by SolarWinds, is to provide extra assistance to some customers who may not have the resources to upgrade easily, due to issues such as financial constraints or technical knowledge.
READ MORE Microsoft downplays threat after admitting SolarWinds attackers accessed source code
When asked, in hindsight, what he would have done differently, Ramakrishna answered with “having a stronger media response”.
“SolarWinds has historically kept to itself, focusing on customers, focusing on itself internally, and it was never trying to grab attention.
“In this particular case, the attention was thrust upon us. And if I thought about one area that we were not fully prepared… we were not prepared [for the media response].”
Looking back, Ramakrishna said he wished he had “more resources, more proactive outreach”, an issue he says the company has learned from by expanding its communication team, so that SolarWinds can be prepared for other instances and can help others.
“Although I do not wish something like this to happen to anyone in the industry,” he concluded.