Security news that informs and inspires

Attackers Focused on SolarWinds Network as Early as January 2019

The Russian attackers who compromised SolarWinds, and later many of its customers, were looking at the company’s network as early as January 2019, more than a year before the first update for the Orion platform containing the Sunburst backdoor was deployed to customers, SolarWinds’ CEO said Wednesday.

Previously, the company had said publicly that the attack began in the fall of 2019, probably in September. But during his keynote at the RSA Conference Wednesday, SolarWinds CEO Sudhakhar Ramakrishna said the first indicators of the attackers’ interest in the network date back to January 2019, meaning the adversary spent several months looking around the company’s network before it began taking any real actions.

“They were doing very early reconnaissance activities in January, which explains what they were able to do in September or October of 2019,” he said.

The SolarWinds attack came to light in December 2020, and by that point the adversary had been inside the network for more than a year, and possibly quite a bit longer. The timeline of the operation has expanded a few times since the initial disclosure as SolarWinds and outside investigators have discovered more and more details about the attack. The federal government has attributed the operation to Russia’s Foreign Intelligence Service and the effects of it have continued to ripple out for the last six months. The attackers compromised a build server inside SolarWinds’ corporate environment and were able to insert a small bit of malicious code into an update for the Orion platform, which nearly 18,000 customers eventually downloaded. Several government agencies were affected by the attacks, as were FireEye and Microsoft, among others.

Ramakrishna had agreed to take the CEO job before the attack was disclosed but didn’t officially join the company until January, and said that several of his friends advised him not to take the job once the intrusion became public.

“When a nation state attacks you it’s impossible for one person to thwart that attack or take responsibility for it."

“I did get a lot of feedback from well wishers of mine asking me to back out and I had nothing to prove. But I’m a stubborn optimist so I decided to proceed,” he said.

“The more I learned about it over the next three to four days I felt that continuity and urgency were critical in this environment.”

The way the attackers went about their business made the investigation into the intrusion difficult and complex.

“The tradecraft that the attackers used was extremely well done and extremely sophisticated, where they did everything possible to hide in plain sight. We were looking for all the usual clues and in this partic case given the amount of time they spent and deliberation they had in their efforts, they were able to cover their fingerprints and tracks at every step,” Ramakrishna said.

In the aftermath of the attack, there was quite a bit of finger-pointing and scrutiny of SolarWinds’ security practices. Ramakrishna said there was pressure to replace the company’s CISO, but he didn’t think it was the right move.

“When a nation state attacks you it’s impossible for one person to thwart that attack or take responsibility for it. Yes, accountability matters, but just like CEOs get a lot of credit when things go well, some CISOs get undue discredit, and I thought I should not be doing the norm or what’s typical, so I went my own way,” Ramakrishna said.