Internet Explorer 11 is not supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

SolarWinds Says It’s Closer to Finding Source of Cyberattack

The Austin-based software company at the center of the data breach that impacted hundreds of companies, including several government agencies, continues to find pieces of malware that may have led to the hack.

(TNS) — Austin, Texas-based SolarWinds, the software company at the center of what is considered one of the most sophisticated cyberattacks in U.S. history, said it believes it is closer to understanding how the attack was carried out.

The company said last Tuesday that it has reverse-engineered the code used in the attack to better understand how it was deployed. SolarWinds also said the attack might have contained an additional layer of malware layer that breached the system in 2019.

SolarWinds has been working to investigate the source of a cyberattack. Reuters broke news of the breach Dec. 13, a day after the company said it first learned of the situation. SolarWinds has since released a number of software updates to address the problem and has said it's working with outside cybersecurity experts and federal law enforcement to investigate the breach.

The investigation has shown the breach likely has affected nearly every level of government, as well as potentially hundreds of private companies. Reports of high-profile targets include the Justice Department, the Department of Treasury, Homeland Security and the Department of Energy, along with private companies including Microsoft.

"We believe we have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the Sunburst malicious code into builds of our Orion Platform software," SolarWinds said in a securities filing.

Federal officials have said the attack was likely Russian in origin. SolarWinds said Tuesday it could not independently confirm that Russia was behind the breach. The Washington Post, citing unnamed sources, reported that the attack was carried out by Russian government hackers who go by the nicknames APT29 or Cozy Bear and are part of that nation’s foreign intelligence service.

SolarWinds' Orion software, which was breached in the attack, is used by a range of companies and government agencies. As many as 18,000 of the company's 300,000 customers might have been running software, which contained a vulnerability that let hackers penetrate multiple networks.

In a filing with the U.S. Securities and Exchange Commission, the company said a "highly sophisticated and novel code" was designed to inject malicious code into the system without arousing the suspicion of the software development and build teams. The hackers used multiple servers based in the United States to mimic legitimate network traffic and avoid detection from SolarWinds, companies, and the government.

SolarWinds new CEO, Sudhakar Ramakrishna also became the company's leader this month. The company had announced former president and CEO Kevin Thompson would step down at the end of 2020 after more than a decade in the position, just days before the cyberattack discovery.

"Although I accepted the position to become CEO before the company was notified of the cyberattack, I feel an even greater commitment now to taking action, ensuring we learn from this experience, and continuing to deliver for our customers," Ramakrishna said in an online post last week.

Ramakrishna said SolarWinds will be reflecting on and enhancing its own security policies and practices. He said his goal is to work with the SolarWinds team to immediately improve critical business and product development systems and make Solarwinds a leader in security for the enterprise software industry.

"Over 20-plus years, SolarWinds has earned the trust of our customers by delivering powerful and affordable solutions," Ramakrishna said. "My mission is to continue to build on that relationship by delivering powerful, affordable, and secure solutions. I am confident in this future."

The company said it has so far traced suspicious activity related to the breach in its internal systems back to September 2019, a month earlier than previously thought. A subsequent October 2019 version of the Orion Platform first contained modifications, which Solarwinds said were designed by the hackers to test the ability to insert a code. The first malicious code, dubbed SUNBURST, was inserted into a February 2020 update to the Orion Platform, and customers had access to the software by March 26. Hackers later removed the code in June 2020. The company is still trying to understand how exactly the code entered its software.

"We recognize the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future and create safer environments for customers," the company said.

On Tuesday, CrowdStrike, one of the companies working with SolarWinds to investigate the breach, said it has also identified a third malware strain, called Sunspot, tied to the attack. The companies have previously identified two other malware strains, the backdoor, dubbed Sunburst, and Teardrop, a tool that the hackers used to go deeper once in the system.

As the company continues to investigate, cybersecurity experts have said the full scale of the attack could take years to understand. They also predicted the breach could lead to long-term changes in cybersecurity policies and practices for both the government and private companies.

The company is also already facing at least one lawsuit following the attack, which accuses SolarWinds of violating federal securities law and alleges it made “materially false and misleading statements” related to security measures.

(c)2021 Austin American-Statesman, Texas. Distributed by Tribune Content Agency, LLC.

From Our Partners