Until this week, the cybersecurity community thought that the nation-state actors behind the SolarWinds Orion compromise began their work in the fall of 2019 before malicious code was snuck into a spring update of the popular IT management software.
How the attackers conducted those operations with a great deal of sophistication without being detected was alarming enough, but new revelations by the company’s top executive suggests the attackers were in their environment much earlier.
Previously, it was thought that the threat actors began their work inside the company’s network in September 2019, but further investigation has revealed that SolarWinds was breached much earlier, President and CEO Sudhakar Ramakrishna said during a Wednesday RSA Conference keynote.
SolarWinds’ chief executive, who took the job just as the attack was disclosed, said the company spent a considerable amount of time combing through “hundreds of terabytes of data and thousands of build systems” to learn more about the attack, and discovered that the Russian hackers were in the company’s environment as far back as January 2019.
Ramakrishna said old configurations of code revealed “exactly what the attackers did.”
“But as we look back, they were doing early very early recon activities in January of 2019, which explains, I would say, what they were able to do in September-October of 2019,” Ramakrishna said.
This speaks to the highly sophisticated tools and techniques used by the threat actors and the lengths to which they went to cover their tracks and avoid detection.
In December, SolarWinds, FireEye and Microsoft disclosed the compromise, which included installing a backdoor into the Orion product that gave the attackers access to thousands of customer networks, including highly sensitive government agencies. It is believed that a much smaller number of customers were actually targeted, and most of them were government or defense-related.
Ramakrishna did not elaborate on exactly how the attackers were able to avoid detection for so long, but nation state actors like this group have incredible resources and support, and it is believed that a team of at least 1,000 engineers contributed to the compromise.
If you are at an organization recovering from a cyberattack, let this be a lesson to do your due diligence and uncover everything to truly understand how it happened and how it can be prevented in the future.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!