SolarWinds, one of the nation’s largest IT vendors, experienced a devastating breach nearly a month ago. It is believed that the cyberattack was done by foreign state perpetrators in an attempt to gather sensitive governmental data. The breach occurred for multiple months before being detected. The breach occurred with SolarWinds’ Orion product; hackers weaponized routine software updates to distribute malware to SolarWinds clients. It’s reported that the breach led to hackers gaining access to over 18,000 customers of SolarWind. What’s more problematic is that some of SolarWinds’ customers include several key government agencies. The breach has been discovered within weeks of another foreign cyber attack on FireEye, another cybersecurity firm which works with government clients. These attacks have longtail consequences for both the government and many private cybersecurity companies.
Details of the breach:
After a thorough investigation on the breach, SolarWinds discovered that the breach began on September 4th, 2019. One week later, hackers began doing trial runs of malicious code on SolarWinds. The trial runs continued for several months and the breach officially started on February 20th, 2020. The hackers removed the malware from SolarWinds’ build VMs on June 4th, 2020. SolarWinds does not find out about the breach until December 11th 2020 when
FireEye reported it. Two days prior, the CEO announced that he was going to retire and a succession plan was set. The day after the attack was reported publicly, the National Security Council held an emergency meeting to figure out the next steps. All governmental agencies that worked with SolarWinds were ordered to stop using their products. Security experts had a good guess Russia was behind the attack and that they have been monitoring government emails for a period of time. Below is a graph illustrating the general timeline of the attack:
National security concerns:
The breach leveraged SolarWinds’ supply chain to find and target data from government agencies. The Wall Street Journal reported that some of the agencies that were victims of the attack include The U.S. Department of Commerce and Treasury, the Department of Homeland Security, the National Institutes of Health (NIH) and the State Department. These departments have some of the most sensitive data on both U.S. citizens and government initiatives. On January 5th, 2021, several U.S. intelligence agencies formally accused Russia of the attacks on both SolarWinds and FireEye. President Trump proclaimed this was one of the worst cyber incidents in American history.
The focus now for both SolarWinds and the U.S. government is to do a more thorough and ongoing investigation of every detail that occurred during the breach. By gathering more intelligence on the breach, there can be contingency plans made and appropriate steps will be taken consequently. As for SolarWinds, it is attempting to spin out its MSP business as a standalone, publicly-traded company called N-able. With the transition of CEOs and changing of several business divisions, there will be huge changes to SolarWinds from a corporate perspective for the next year.