In a new blog, SolarWinds’ CEO laid out what it is doing to respond to the compromise of its Orion IT management platform and what it knows so far about the attack.
As many cybersecurity and IT experts have been saying, SolarWinds’ CEO Sudhakar Ramakrishna called the attack – which the company codenames Sunburst – one of the most intrusive and sophisticated in history.
“As we and industry experts have noted previously, the Sunburst attack appears to be one of the most complex and sophisticated cyberattacks in history,” Ramakrishna wrote in a blog post.
While other experts and U.S. government officials have suggested the hackers are affiliated with the Russian government, Ramakrishna said the company’s investigators have not independently verified the identity of the attackers.
The malicious code itself was designed to allow the cyber actors to enter a customer’s IT environment. Working with cybersecurity firms KPMG and CrowdStrike, SolarWinds located the malicious code injection source and reverse-engineered the code to allow researchers to learn more about the attack method.
According to the blog, the threat actor was in SolarWinds’ environment in September 2019, and a new release of the Orion platform in October contained modifications designed to test the attacker’s ability to insert code into the company’s builds.
Last February, an updated version of the malicious code injection source that inserted the Sunburst code into the Orion Platform was released.
However, the attackers were undetected, and removed the malicious code from SolarWinds’ environment last June.
Despite investigating and patching vulnerabilities, the company didn’t identify anything that would suggest the Orion platform was compromised.
It wasn’t until Dec. 12 that the company was notified of the compromise and began collaboration with law enforcement and others in the tech and cybersecurity industry.
Ramakrishna says the company has identified two different customer support incidents that it believes might be attributable to the attack. Each time, the company didn’t detect the malicious code.
The possibility of this kind of large-scale cyber attack has kept IT and cybersecurity professionals up at night, and now that it’s happening, there are fears that SolarWinds may not be the only initial access vector.
In the blog, Ramakrishna said he hopes this event ushers in a new level of collaboration and information sharing within the technology industry to prevent these attacks.
“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” he wrote.
“The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge, and resources of all constituents.”