WASHINGTON (Reuters) – In an earnings call two months ago, SolarWinds chief executive Kevin Thompson praised how far the company has come in his 11 years at the helm.
There was no database or IT deployment model that his Austin, Texas-based company failed to provide some level of oversight or management, he told analysts during the call of October 27.
“We don’t think anyone in the market is really close in terms of the extent of the coverage we have,” he said. “We manage everyone’s network equipment.”
Now that dominance has become a handicap – an example of how workaholic software that helps bring organizations together can turn toxic when subverted by sophisticated hackers.
On Monday, SolarWinds confirmed that Orion – its flagship network management software – served as an unintentional conduit for a large international cyber espionage operation. Hackers inserted malicious code into Orion software updates that were distributed to nearly 18,000 customers.
And while the number of affected organizations is seen as much smaller, hackers have already curtailed their access to consequential breaches at the U.S. Treasury and Department of Commerce.
Three people familiar with the investigation told Reuters that Russia was one of the main suspects, although others close to the investigation said it was still too early to tell.
A SolarWinds representative, Ryan Toohey, said he would not make the executives available for comment. He did not provide official responses to questions sent by email.
In a statement released on Sunday, the company said, “We strive to implement and maintain appropriate administrative, physical and technical safeguards, security processes, procedures and standards designed to protect our customers.”
Cyber security experts are still struggling to understand the extent of the damage.
The malicious updates – sent between March and June, as the United States struggled to resist the first wave of coronavirus infections – were “the perfect time for a perfect storm,” said Kim Peretti, who Co-chairs Atlanta-based law firm Alston & Bird’s. cybersecurity preparedness and response team.
Assessing the damage would be difficult, she said.
“We may not know the real impact for many months, if not more, if ever,” she said.
The impact on SolarWinds was more immediate. U.S. officials ordered anyone running Orion to immediately disconnect it. The company’s stock fell more than 23%, from $ 23.50 on Friday – before Reuters broke news of the breach – to $ 18.06 on Tuesday.
The security of SolarWinds, meanwhile, is under review.
In a previously unreported issue, several criminals offered to sell access to SolarWinds computers through underground forums, according to two researchers who separately gained access to these forums.
One of those offering claimed access to the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for his involvement in several high-profile incidents,” said Mark Arena, chief executive of the company. Intel Cybercrime Intelligence Unit471. Arena has informed clients of his company, including US law enforcement.
Security researcher Vinoth Kumar told Reuters that last year he alerted the company that anyone can access the SolarWinds update server using the password “solarwinds123”
“It could have been done by any striker, easily,” Kumar said.
Neither the password nor the stolen access is considered the most likely source of the current intrusion, the researchers said.
Others – including Kyle Hanslovan, the co-founder of Maryland-based cybersecurity firm Huntress – noticed that within days of SolarWinds realizing its software had been compromised, malicious updates were still available for download.
The company has long talked about the idea of splitting its managed service provider business and announced on December 9 that Thompson would be replaced by Sudhakar Ramakrishna, the former chief executive of Pulse Secure. Three weeks ago, SolarWinds posted a job posting seeking a new VP Security; the position is still listed as open.
Thompson and Ramakrishna could not be reached for comment.