Cybersecurity

SolarWinds CEO: This could have happened to anyone

SolarWinds Headquarters entrance By Travel_with_me shutterstock ID: 1875241378 

In the first of several public appearances this week, the chief executive officer of SolarWinds is publicly discussing the breach of his company's software two months after reports surfaced that multiple government agencies may have been breached through a backdoor vulnerability. His message to others: This could have happened to anyone.

"Because of the narrow window in which the malware was injected into the code, the ability for our build systems to identify that did not exist. That is one of the key areas of focus that we are working towards," said Sudhakar Ramakrishna, SolarWinds' CEO, during a virtual event Feb. 22 hosted by the Center for Strategic and International Studies. "This problem exists in every company, so what happened to us can happen to any software developer in the world," he continued.

Ramakrishna was publicly announced as the next chief of SolarWinds in December just days before the cybersecurity firm FireEye notified the company that the Orion IT management software had been compromised. Since then, private and governmental investigators have found the hacking campaign used additional methods to breach nine federal agencies and approximately 100 private companies.

The group of federal agencies responding to the breach have said the hackers are "likely Russian in origin," but neither the government nor FireEye, which is credited with discovering the intrusion, have formally attributed the attack yet.

Ramakrishna said today he feels SolarWinds has an "obligation" to discuss the attack publicly because "this is not a one company issue." He said in the immediate weeks following the hack's discovery in early December, he was not considered a SolarWinds employee yet, meaning the only information he received was from press reports and outsider speculation.

It was not until closer to starting his new job on Jan. 4 that he started receiving information directly from investigators.

SolarWinds in an initial filing with the Security and Exchange Commission stated it believed around 18,000 customers may have been compromised by the breach in Orion, an IT management software. Ramakrishna today said the company believes the number of customers whose systems were damaged by the malware is much smaller.

He said that the estimate -- 18,000 -- came from the number of customers who downloaded the patch infected with malware, an update that was not automatically pushed to users. Further, not all customers that downloaded the patch immediately installed it. If a customer did download and install the patch, the software would have to be configured in such a way to provide SolarWinds Orion with access to the internet before it could contact an adversarial server and cause damage. He added that Orion is able to operate on a server without internet access.

Ramakrishna said he believes Orion was targeted because it traditionally holds high-level administrative privileges in the systems it operates within. Understanding how Orion can continue to operate with lower privilege levels is one remediation the company is currently considering.

Asked about what changes he would want to see made by Congress, Ramakrishna hit on two common issues raised by cybersecurity experts: the federal government should have a single point of contact for organizations victimized by hackers to report attacks.

The second is to create policies that reduce liability concerns for private organizations that disclose their compromises to the government.

Ramakrishna, Kevin Thompson, SolarWinds' former CEO, and executives for FireEye and Microsoft are all scheduled to testify to House and Senate lawmakers this week.

About the Author

Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.


Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected