Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

End of Bibblio RCM includes -->
5/19/2021
05:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail

SolarWinds CEO: Attack Began Much Earlier Than Previously Thought

Investigation shows threat actors began probing SolarWinds' network in January 2019, according to Sudhakar Ramakrishna.

RSA CONFERENCE 2021 — The attack on SolarWinds that resulted in malware being distributed to thousands of the company's customers started a full eight months earlier than previously thought.

At a keynote session at the RSA Conference today, SolarWinds CEO Sudhakar Ramakrishna said the company's continuing investigation of the breach shows the nation-state group behind it began probing SolarWinds' network as early as January 2019. The breach remained undetected until December 2020, or nearly two full years after the initial malicious activity.

Previously, it was widely believed that attackers first gained access to SolarWinds' systems in October 2019.

According to Ramakrishna, breach investigators assessed hundreds of terabytes of data and thousands of virtual build systems before stumbling about some old code configuration that pointed to exactly what the attackers did to gain initial access. Ramakrishna did not offer any details on what specifically that might have been.

But at a congressional hearing earlier this year, the former CEO of SolarWinds, Kevin Thompson, blamed an intern for publicly posting a password to a file transfer server on GitHub. SolarWinds has since clarified that the password--or its public posting--had absolutely nothing to do with the breach.

Ramakrishna expressed regret over those comments.

"What happened at the congressional hearing where we attributed it to an intern is not what we are about," he noted. "We have learned from that."

Security researchers and industry experts have widely described the SolarWinds breach as one of the most significant security incidents in recent years, both for its scope and sophistication. Details about the breach that have been released so far indicate the attack began when threat actors gained initial access to SolarWinds' build environment and planted malware called "Sunspot" into a single source-code file. They used the malware to insert a backdoor called Sunburst/Solarigate into builds of SolarWind's Orion network management product, which were then digitally signed and sent out to 18,000 SolarWinds customers.

A small subset of those victims — from government and the private sector — were later subjected to further intrusions and cyber espionage activity aimed at extracting sensitive data. The victims of data theft included several technology companies, such as Microsoft and FireEye. The attack and the extraordinary operational stealth with which it was carried out has sparked widespread concern about the vulnerability of US companies and government agencies to sophisticated nation-state actors.

US authorities have attributed the attack to a threat group working on behalf of Russia's foreign intelligence services group. FireEye, one of the security vendors that has been investigating the breach, is tracking the group as UNC2542.

In his keynote, Ramakrishna said the tradecraft the attackers used to breach SolarWinds' network and remain hidden on it for nearly two years was extremely sophisticated.

"They did everything possible to hide in plain sight," he said. "Given the amount of time they spent and given the 'deliberate-ness' [of] their effort, they were able to cover the fingerprints and their tracks at every step of the way."  

Given the resources the attackers had, it was very difficult for a company like SolarWinds to uncover the breach, the CEO said.

In a panel discussion in March, Ramakrishna described SolarWinds as looking into possibly running two or even three parallel software build systems to mitigate the risk of something similar happening again. The company has also vested CISO Tim Brown the autonomy to stop releases from going into production simply for time-to-market reason. In addition, SolarWinds has established a new cybersecurity committee at the board level to ensure a top-down approach to security at the company.

In comment today at the keynote, Ramakrishna defended Brown's record before and after the breach.

"I don't like to flog failures, so to speak," he said. "It is not even clear that this failure is one person's fault. When a nation-state attacks your network, it is impossible for one person to be able to thwart it or take full responsibility for it."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Oldest First  |  Newest First  |  Threaded View
tdsan
tdsan,
User Rank: Ninja
5/20/2021 | 11:32:44 AM
Interesting post.
I don't have a problem with the site being hacked, but the amount of time and the lack of transparency especially with this type of information is what I have an issue with. This hack was one of the most sophiciated hacks in history. As a result, the hacker has used Solarwinds network like a jumpbox, to exploit various agencies (private and public) using SW as an attack source. The question remains, what was the security team doing when Russian actors accessed this network for over a year (Sept. 2019) and some time thereafter.

The CISO and his staff need to be fired, this has caused a breach from a national security perspective. 

In addition, it sounds to me that they did not take "cybersecurity" seriously because after the hack, they are now just putting together a team, that should have been in the very beginning (but it is too late now, the damage has been done - reputation and confidence).



This is definitely a lack of oversight and judgement on a company that toutes security and network management, sad to see a giant being hit by a select group (where was the notification or alerting, failure at all ends of the spectrum).

T
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-42247
PUBLISHED: 2022-10-03
pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.
CVE-2022-41443
PUBLISHED: 2022-10-03
phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.
CVE-2022-33882
PUBLISHED: 2022-10-03
Under certain conditions, an attacker could create an unintended sphere of control through a vulnerability present in file delete operation in Autodesk desktop app (ADA). An attacker could leverage this vulnerability to escalate privileges and execute arbitrary code.
CVE-2022-42306
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 8.2 and related Veritas products. An attacker with local access can send a crafted packet to pbx_exchange during registration and cause a NULL pointer exception, effectively crashing the pbx_exchange process.
CVE-2022-42307
PUBLISHED: 2022-10-03
An issue was discovered in Veritas NetBackup through 10.0.0.1 and related Veritas products. The NetBackup Primary server is vulnerable to an XML External Entity (XXE) Injection attack through the DiscoveryService service.