SolarWinds attack could have happened to anyone, CEO says
- By Justin Katz
- Feb 23, 2021
What happened to SolarWinds could happen to any software developer, the firm’s CEO said.
At a Feb. 22 virtual event hosted by the Center for Strategic and International Studies, Sudhakar Ramakrishna said "this is not a one-company issue."
"Because of the narrow window in which the malware was injected into the code, the ability for our build systems to identify that did not exist. That is one of the key areas of focus that we are working towards," Ramakrishna said. "This problem exists in every company, so what happened to us can happen to any software developer in the world."
The breach was discovered in early December by FireEye, which notified SolarWinds that its Orion IT management software had been compromised. Since then, industry and government investigators have found the hacking campaign used additional methods to breach nine federal agencies and approximately 100 private companies.
In an initial filing with the Security and Exchange Commission, SolarWinds stated it believed around 18,000 customers may have been compromised by the breach. Ramakrishna, however, said the company believes the number of customers whose systems were damaged by the malware is much smaller.
He said the initial estimate -- 18,000 -- came from the number of customers who downloaded the patch infected with malware, an update that was not automatically pushed to users. Further, not all customers that downloaded the patch immediately installed it. If a customer did download and install the patch, the software would have to be configured in such a way to provide SolarWinds Orion with access to the internet before it could contact an adversarial server and cause damage. He added that Orion is able to operate on a server without internet access.
Ramakrishna said he believes Orion was targeted because it traditionally holds high-level administrative privileges for the systems in which it operates. Understanding how Orion can continue to operate with lower privilege levels is one remediation the company is currently considering.
Asked about what changes he would want to see made by Congress, Ramakrishna hit on two common issues raised by cybersecurity experts. The first is that the federal government should have a single point of contact for organizations victimized by hackers to report attacks. The second is to create policies that reduce liability concerns for private organizations that disclose their compromises to the government.
This article was first posted to FCW, a sibling site to GCN.
Justin Katz covers cybersecurity for FCW. Previously he covered the Navy and Marine Corps for Inside Defense, focusing on weapons, vehicle acquisition and congressional oversight of the Pentagon. Prior to reporting for Inside Defense, Katz covered community news in the Baltimore and Washington D.C. areas. Connect with him on Twitter at @JustinSKatz.