[BreachExchange] SolarWinds CEO: Attack Began Much Earlier Than Previously Thought

Thu May 20 15:27:18 EDT 2021

https://www.darkreading.com/attacks-breaches/solarwinds-ceo-attack-began-much-earlier-than-previously-thought/d/d-id/1341072

The attack on SolarWinds that resulted in malware being distributed to
thousands of the company's customers started a full eight months earlier
than previously thought.

At a keynote session at the RSA Conference today, SolarWinds CEO Sudhakar
Ramakrishna said the company's continuing investigation of the breach shows
the nation-state group behind it began probing SolarWinds' network as early
as January 2019. The breach remained undetected until December 2020, or
nearly two full years after the initial malicious activity.

Previously, it was widely believed that attackers first gained access to
SolarWinds' systems in October 2019.

According to Ramakrishna, breach investigators assessed hundreds of
terabytes of data and thousands of virtual build systems before stumbling
about some old code configuration that pointed to exactly what the
attackers did to gain initial access. Ramakrishna did not offer any details
on what specifically that might have been.

But at a congressional hearing earlier this year, the former CEO of
SolarWinds, Kevin Thompson, blamed an intern for publicly posting a
password to a file transfer server on GitHub. SolarWinds has since
clarified that the password--or its public posting--had absolutely nothing
to do with the breach.

Ramakrishna expressed regret over those comments.

"What happened at the congressional hearing where we attributed it to an
intern is not what we are about," he noted. "We have learned from that."

Security researchers and industry experts have widely described the
SolarWinds breach as one of the most significant security incidents in
recent years, both for its scope and sophistication. Details about the
breach that have been released so far indicate the attack began when threat
actors gained initial access to SolarWinds' build environment and planted
malware called "Sunspot" into a single source-code file. They used the
malware to insert a backdoor called Sunburst/Solarigate into builds of
SolarWind's Orion network management product, which were then digitally
signed and sent out to 18,000 SolarWinds customers.

A small subset of those victims — from government and the private sector —
were later subjected to further intrusions and cyber espionage activity
aimed at extracting sensitive data. The victims of data theft included
several technology companies, such as Microsoft and FireEye. The attack and
the extraordinary operational stealth with which it was carried out has
sparked widespread concern about the vulnerability of US companies and
government agencies to sophisticated nation-state actors.

US authorities have attributed the attack to a threat group working on
behalf of Russia's foreign intelligence services group. FireEye, one of the
security vendors that has been investigating the breach, is tracking the
group as UNC2542.

In his keynote, Ramakrishna said the tradecraft the attackers used to
breach SolarWinds' network and remain hidden on it for nearly two years was
extremely sophisticated.

"They did everything possible to hide in plain sight," he said. "Given the
amount of time they spent and given the 'deliberate-ness' [of] their
effort, they were able to cover the fingerprints and their tracks at every
step of the way."

Given the resources the attackers had, it was very difficult for a company
like SolarWinds to uncover the breach, the CEO said.

In a panel discussion in March, Ramakrishna described SolarWinds as looking
into possibly running two or even three parallel software build systems to
mitigate the risk of something similar happening again. The company has
also vested CISO Tim Brown the autonomy to stop releases from going into
production simply for time-to-market reason. In addition, SolarWinds has
established a new cybersecurity committee at the board level to ensure a
top-down approach to security at the company.

In comment today at the keynote, Ramakrishna defended Brown's record before
and after the breach.

"I don't like to flog failures, so to speak," he said. "It is not even
clear that this failure is one person's fault. When a nation-state attacks
your network, it is impossible for one person to be able to thwart it or
take full responsibility for it."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/7c724e9e/attachment.html>