SolarWinds CEO: This could have happened to anyone

SolarWinds Headquarters entrance By Travel_with_me shutterstock ID: 1875241378 

In the first of several public appearances this week, the chief executive officer of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: This could have happened to anyone.

"Because of the narrow window in which the malware was injected into the code, the ability for our build systems to identify that did not exist. That is one of the key areas of focus that we are working towards," said Sudhakar Ramakrishna, SolarWinds' CEO, during a virtual event Feb. 22 hosted by the Center for Strategic and International Studies. "This problem exists in every company, so what happened to us can happen to any software developer in the world," he continued.

Ramakrishna was publicly announced as the next chief of SolarWinds in December just days before the cybersecurity firm FireEye notified the company that the Orion IT management software had been compromised. Since then, private and governmental investigators have found the hacking campaign used additional methods to breach nine federal agencies and approximately 100 private companies.

The group of federal agencies responding to the breach have said the hackers are "likely Russian in origin," but neither the government nor FireEye, which is credited with discovering the intrusion, have formally attributed the attack yet.

Ramakrishna said today he feels SolarWinds has an "obligation" to discuss the attack publicly because "this is not a one company issue." He said in the immediate weeks following the hack's discovery in early December, he was not considered a SolarWinds employee yet, meaning the only information he received was from press reports and outsider speculation.

It was not until closer to starting his new job on Jan. 4 that he started receiving information directly from investigators.

SolarWinds in an initial filing with the Security and Exchange Commission stated it believed around 18,000 customers may have been compromised by the breach in Orion, an IT management software. Ramakrishna today said the company believes the number of customers whose systems were damaged by the malware is much smaller.

He said that the estimate -- 18,000 -- came from the number of customers who downloaded the patch infected with malware, an update that was not automatically pushed to users. Further, not all customers that downloaded the patch immediately installed it. If a customer did download and install the patch, the software would have to be configured in such a way to provide SolarWinds Orion with access to the internet before it could contact an adversarial server and cause damage. He added that Orion is able to operate on a server without internet access.

Ramakrishna said he believes Orion was targeted because it traditionally holds high-level administrative privileges in the systems it operates within. Understanding how Orion can continue to operate with lower privilege levels is one remediation the company is currently considering.

Asked about what changes he would want to see made by Congress, Ramakrishna hit on two common issues raised by cybersecurity experts: the federal government should have a single point of contact for organizations victimized by hackers to report attacks.

The second is to create policies that reduce liability concerns for private organizations that disclose their compromises to the government.

Ramakrishna, Kevin Thompson, SolarWinds' former CEO, and executives for FireEye and Microsoft are all scheduled to testify to House and Senate lawmakers this week.

About the Author

Justin Katz is a former staff writer at FCW.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected