Breaking News
Investing Pro 0
New Year’s SALE: Up to 40% OFF InvestingPro+ CLAIM OFFER

Hackers used SolarWinds' dominance against it in sprawling spy campaign

Stock Markets Dec 15, 2020 08:00PM ET
Saved. See Saved Items.
This article has already been saved in your Saved Items
 
2/2 © Reuters. FILE PHOTO: SolarWinds Corp. banner hangs on the company's IPO at the NYSE in New York 2/2

By Raphael Satter, Christopher Bing and Joseph Menn

WASHINGTON (Reuters) -On an earnings call two months ago, SolarWinds Chief Executive Kevin Thompson touted how far the company had gone during his 11 years at the helm.

There was not a database or an IT deployment model out there to which his Austin, Texas-based company did not provide some level of monitoring or management, he told analysts on the Oct. 27 call.

"We don't think anyone else in the market is really even close in terms of the breadth of coverage we have," he said. "We manage everyone's network gear."

Now that dominance has become a liability - an example of how the workhorse software that helps glue organizations together can turn toxic when it is subverted by sophisticated hackers.

On Monday, SolarWinds confirmed that Orion - its flagship network management software - had served as the unwitting conduit for a sprawling international cyberespionage operation. The hackers inserted malicious code into Orion software updates pushed out to nearly 18,000 customers.

And while the number of affected organizations is thought to be much more modest, the hackers have already parlayed their access into consequential breaches at the U.S. Treasury and Department of Commerce.

Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the inquiry have said it is still too early to tell.

A SolarWinds representative, Ryan Toohey, said he would not be making executives available for comment. He did not provide on-the-record answers to questions sent via email.

In a statement issued Sunday, the company said "we strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers."

Cybersecurity experts are still struggling to understand the scope of the damage.

The malicious updates - sent between March and June, when America was hunkering down to weather the first wave of coronavirus infections - was "perfect timing for a perfect storm," said Kim Peretti, who co-chairs Atlanta-based law firm Alston & Bird's cybersecurity preparedness and response team.

Assessing the damage would be difficult, she said.

"We may not know the true impact for many months, if not more – if not ever," she said.

The impact on SolarWinds was more immediate. U.S. officials ordered anyone running Orion to immediately disconnect it. The company's stock has tumbled more than 23% from $23.50 on Friday - before Reuters broke the news of the breach - to $18.06 on Tuesday.

SolarWinds' security, meanwhile, has come under new scrutiny.

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds' computers through underground forums, according to two researchers who separately had access to those forums.

One of those offering claimed access over the Exploit forum in 2017 was known as "fxmsp" and is wanted by the FBI "for involvement in several high-profile incidents," said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company's clients, which include U.S. law enforcement agencies.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds' update server by using the password "solarwinds123"

"This could have been done by any attacker, easily," Kumar said.

Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.

Others - including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress - noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

The firm has long mooted the idea of spin-off of its managed service provider business and on Dec. 9 announced that Thompson would be replaced by Sudhakar Ramakrishna, the former chief executive of Pulse Secure. Three weeks ago, SolarWinds posted a job ad seeking a new vice president for security; the position is still listed as open.

Thompson and Ramakrishna could not be reached for comment.

Hackers used SolarWinds' dominance against it in sprawling spy campaign
 

Related Articles

Add a Comment

Comment Guidelines

We encourage you to use comments to engage with other users, share your perspective and ask questions of authors and each other. However, in order to maintain the high level of discourse we’ve all come to value and expect, please keep the following criteria in mind:  

  •            Enrich the conversation, don’t trash it.

  •           Stay focused and on track. Only post material that’s relevant to the topic being discussed. 

  •           Be respectful. Even negative opinions can be framed positively and diplomatically. Avoid profanity, slander or personal attacks directed at an author or another user. Racism, sexism and other forms of discrimination will not be tolerated.

  • Use standard writing style. Include punctuation and upper and lower cases. Comments that are written in all caps and contain excessive use of symbols will be removed.
  • NOTE: Spam and/or promotional messages and comments containing links will be removed. Phone numbers, email addresses, links to personal or business websites, Skype/Telegram/WhatsApp etc. addresses (including links to groups) will also be removed; self-promotional material or business-related solicitations or PR (ie, contact me for signals/advice etc.), and/or any other comment that contains personal contact specifcs or advertising will be removed as well. In addition, any of the above-mentioned violations may result in suspension of your account.
  • Doxxing. We do not allow any sharing of private or personal contact or other information about any individual or organization. This will result in immediate suspension of the commentor and his or her account.
  • Don’t monopolize the conversation. We appreciate passion and conviction, but we also strongly believe in giving everyone a chance to air their point of view. Therefore, in addition to civil interaction, we expect commenters to offer their opinions succinctly and thoughtfully, but not so repeatedly that others are annoyed or offended. If we receive complaints about individuals who take over a thread or forum, we reserve the right to ban them from the site, without recourse.
  • Only English comments will be allowed.
  • Any comment you publish, together with your investing.com profile, will be public on investing.com and may be indexed and available through third party search engines, such as Google.

Perpetrators of spam or abuse will be deleted from the site and prohibited from future registration at Investing.com’s discretion.

Write your thoughts here
 
Are you sure you want to delete this chart?
 
Post
Post also to:
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Thanks for your comment. Please note that all comments are pending until approved by our moderators. It may therefore take some time before it appears on our website.
 
Are you sure you want to delete this chart?
 
Post
 
Replace the attached chart with a new chart ?
1000
Your ability to comment is currently suspended due to negative user reports. Your status will be reviewed by our moderators.
Please wait a minute before you try to comment again.
Add Chart to Comment
Confirm Block

Are you sure you want to block %USER_NAME%?

By doing so, you and %USER_NAME% will not be able to see any of each other's Investing.com's posts.

%USER_NAME% was successfully added to your Block List

Since you’ve just unblocked this person, you must wait 48 hours before renewing the block.

Report this comment

I feel that this comment is:

Comment flagged

Thank You!

Your report has been sent to our moderators for review
Continue with Google
or
Sign up with Email