FireEye may have discovered the SolarWinds supply chain compromise in December last year, but it appears that the compromise actually happened as early as January 2019. During his appearance at the 2021 RSA Conference, the company CEO Sudhakar Ramakrishna stated that the internal investigation shows the threat actors performed their first acts of network reconnaissance in January 2019. Then, around September of October 2019, the actors gained a strong foothold in the company’s systems.
This statement makes the particular incident quite unusual in the sense that the actors were able to move silently on SolarWinds’ network for so long without raising any security flags. Even by the standards of sophisticated actors, this is still very impressive. As Ramakrishna further commented, the tradecraft that the attackers used was extremely well done and extremely sophisticated, and they did everything possible to hide in plain sight.
As the CEO detailed, conducting the investigation in the usual way by looking at checklists and common indicators of compromise yielded nothing. The actors were very deliberate and diligent in how they hid their tracks, and that’s why it took SolarWinds such a long time to map their activities and figure out exactly what they had done on their systems.
Another part touched by Ramakrishna was the public statement that came out shortly after the revelations, where the company blamed an intern who followed poor password security practices. This wasn’t received well and showed a systemic cybersecurity failure at the organization, serving as not only a poor excuse but actually as another reason to worry about the security of SolarWinds products. The CEO of the company has fully realized that this was a mistake and has denounced it as “not appropriate.”
In the meantime, and as the investigations on the downstream continue, it has been determined that 37 defense entities in the United States have been compromised by the SolarWinds Orion supply chain hack, receiving the formidable “Sunburst” backdoor.