SolarWinds: company at the core of the Orion hack falls under scrutiny
The revelation that elite cyber spies in past months conducted the largest hack against US officials in years has put the spotlight on SolarWinds, the Texas-based company whose software was compromised while servicing some of the biggest agencies and companies in the United States.
SolarWinds provides computer networking monitoring services to corporations and government agencies around the world, and has become a dominant player since it was founded in 1999.
“They’re not a household name the same way that Microsoft is. That’s because their software sits in the back office,” said Rob Oliver, a research analyst at Baird who has followed the company for years. “Workers could have spent their whole career without hearing about SolarWinds. But I guarantee your IT department will know about it.”
The firm was founded by two brothers in Tulsa, Oklahoma, ahead of the feared turn-of-the-millennium Y2K computer bug. On an October earning call, the company’s chief executive Kevin Thompson touted how far it had come since.
There was not a database or an IT deployment model out there to which the company did not provide some level of monitoring or management, he told analysts. “We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” he said. “We manage everyone’s network gear.“
That dominance, however, has become a liability. On Sunday, SolarWinds alerted thousands of its customers that an “outside nation state” had found a back door into its most popular product, a tool called Orion that helps organizations monitor outages on their computer networks and servers.
The company revealed that hackers snuck a malicious code that gave them remote access to customers’ networks into an update of Orion. The hack began as early as March, SolarWinds admitted, giving the hackers plenty of time to access the customers’ internal workings.
The breach was not discovered until the prominent cybersecurity company FireEye, which itself uses SolarWinds, determined it had experienced a breach through the software. FireEye has not publicly blamed that breach on the SolarWinds hack, but it reportedly confirmed that was the case to the tech site Krebs On Security on Tuesday.
FireEye described the malware’s dizzying capabilities, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its reconnaissance forays as Orion activity.
The impact of the hack is not yet clear. US government officials have not yet stated which agencies were affected. But the treasury and commerce departments were confirmed to have been targeted.
In a joint statement issued Thursday evening, the FBI, the Cybersecurity and Infrastructure Security Agency, and the office of the director of National Intelligence described the hack as “significant and ongoing”.
“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the statement read.
SolarWinds estimated in a financial filing that about 18,000 customers had installed the compromised software, meaning many of them were vulnerable to spy operations at some time this year.
The company earlier this week took down a web page that boasted of dozens of its best-known customers, from the White House, Pentagon and the Secret Service to the McDonald’s restaurant chain and Smithsonian museums.
“We may not know the true impact for many months, if not more, if not ever,” said Kim Peretti, who cochairs Atlanta-based law firm Alston & Bird’s cybersecurity preparedness and response team.
FireEye, without naming any specific targets, has said it has confirmed infections in North America, Europe, Asia and the Middle East, including in the health care and oil and gas industry, and has been informing affected customers around the world.
The breach has caused a crisis for SolarWinds. The compromised product accounts for nearly half the company’s annual revenue, which totaled $753.9m over the first nine months of this year. Its stock has plummeted 23% since the beginning of the week.
Moody’s Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs”.
SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. The SolarWinds board appointed his
replacement just a day before FireEye first publicly revealed the hack.
“This is an unimaginable, unfortunate situation,” said Oliver, the research analyst. “SolarWinds products have always been reliable. Its value proposition has been around reliability.”
SolarWinds executives declined interviews through a spokesperson, who cited an ongoing investigation that now involves the FBI and other agencies.
In a statement issued to Reuters on Sunday, the company said “we strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.”