SolarWinds cybersecurity expert warned management in 2017 about risk of ‘catastrophic’ breach – as it’s revealed cost-saving move to Eastern Europe could have exposed firm to major Russian hack
- SolarWinds cybersecurity expert Ian Thornton-Trump warned the company to improve its internal security to prevent a ‘catastrophic’ episode in 2017
- When his recommendations were ignored, he left the firm a month later
- US officials say Russian hackers were behind the massive attack that affected more than 250 federal agencies and businesses
- The hack is believed to have started as early as October 2019
- Employees say SolarWinds CEO Kevin Thompson cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins
- Some engineering offices were moved to Eastern Europe, where the Orion software, which was compromised by the hackers, was partially developed
A cybersecurity adviser says he warned SolarWinds of a potential ‘catastrophic’ attack if the company didn’t amp up internal security measures and the firm’s move to Eastern Europe may have exposed it to the massive Russian hack.
In late December it was revealed that the sprawling cyber-espionage attack led by state-backed Russian hackers affected more than 250 federal agencies and private companies beginning as early as October 2019, but went undetected for months.
In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion.
Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’, according to a New York Times report published Saturday.
He said he gave a PowerPoint presentation to three SolarWinds executives urging them to install a cybersecurity senior director because he thought a major breach was inevitable, Bloomberg reported.
When his recommendations were ignored, he left the company a month later.
Staffers say the CEO of SolarWinds, which is based in Austin, Texas, cut security measure to save costs and the company moved several engineering offices to Eastern Europe.
But that move may have made the company vulnerable to the breach as some of the compromised SolarWinds software was engineered there and Russian intelligence operatives are deeply rooted in that region.
Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’. When his recommendations were ignored, he left the company a month later
In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion. SolarWinds headquarters in Austin, Texas above
Past and current employees SolarWinds had lackluster security measures in place. Chief Executive Kevin B. Thompson (above) cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010
DailyMail.com has reached out to Thornton-Trump for comment.
Though US officials say Russian was behind the hacking campaign, the Kremlin denies it.
Former and current SolarWinds staffers say the company was slow to prioritize security, even when its software was adopted by top cybersecurity companies and federal agencies.
SolarWinds only added on security in 2017 under the threat of penalty from a new European privacy law. Then it hired its first chief information officer and brought in a vice president of security architecture.
A reason, in part, why security was so relaxed was due to chief executive Kevin B. Thompson’s cuts.
Past and current employees say that Thompson, who was formerly an accountant and a former chief financial officer, cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010.
But some of those measures may have jeopardized the company and put its customers at a greater risk for attack.
SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked.
Some of the Orion software was also engineered there.
American investigators are focusing on whether the hack started at the Eastern Europe offices, where Russian intelligence operatives are deeply rooted.
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
Department of State
Department of Homeland Security
National Institutes of Health
Department of Energy
National Nuclear Security Administration
Los Alamos National Laboratory
Federal Energy Regulatory Commission
Office of Secure Transportation
Initially officials said the hack began as early as March this year but SolarWinds have since revealed they traced the hackers back to October 2019. The spies were were believed to have tested their ability to insert the malicious code into their system on October 10, 2019.
When Thompson was asked about whether the company should have detected the breach, he avoided the question. He’s stepping down after 11 years at the helm.
The hack, believed to be an operation by Russia’s SVR intelligence service, impacted the Treasury, State, Commerce, Energy Departments and parts of the Pentagon – as well as SolarWinds’ clients like Cisco Systems and Deloitte.
Three weeks later after the hack was flagged, American officials are now scrambling to determine how the hack was pulled off without setting off any alarms.
At least 24 organizations across the US installed the software that had been exploited by hackers, a Wall Street Journal analysis of internet records has found.
Among those infected include: Tech companies Cisco Systems Inc., Intel Corp and Nvidia Corp; accounting firm Deloitte; software company VMware Inc; electronics maker Belkin International Inc; the California Department of State Hospitals; and Kent State University.
Security experts pointed that out that it took days for SolarWinds to stop offering clients compromised code on their websites.
SolarWinds said that it was a ‘victim of a highly-sophisiticated, complex and targeted cyberattack’ and it was working with law enforcement, and intelligence agencies to investigate.
A view of CEO Kevin Thompson ringing in the opening bell during the company’s initial public offeringo n the floor of the New York Stock Exchange on October 19, 2018
At least 24 organizations across the US installed the software that had been exploited by hackers, including accounting firm Deloitte
Kent State University in Ohio also downloaded the infected software, according to a Wall Street analysis of online records
Tech company Cisco Systems Inc. and the California Department of State Hospitals was also hacked
SolarWinds has not publicly addressed the possibility of an insider being involved in the cyber breach.
The hackers behind the SolarWinds breach also broke into Microsoft’s network and accessed some of its source code, the company said Thursday.
Source code – the underlying set of instructions that run a piece of software or operating system – is typically among a technology company’s most closely guarded secrets and Microsoft has historically been particularly careful about protecting it.
It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive US government networks also had an interest in discovering the inner workings of Microsoft products as well.
The US and private sector investigators have spent the holidays combing through logs to try to understand whether their data has been stolen or modified.
Modifying source code – which Microsoft said the hackers did not do – could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system.
But experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services
‘The source code is the architectural blueprint of how the software is built,’ Andrew Fife of Israel-based Cycode, a source code protection company said.
‘If you have the blueprint, it’s far easier to engineer attacks,’ he added.
SolarWinds timeline: Company stocks and when they discovered attack
March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’
SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have
November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares
December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds
December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given
December 8: FireEye announces hackers broke into its servers
December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021
December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company
December 13: The infiltration of Orion becomes public
The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’
The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted
While the motive is not known, some believe it’s Russia’s bid to shake Washington DC three weeks before Biden’s inauguration date, and to gain leverage against the US before nuclear arms talks.
‘We still don’t know what Russia’s strategic objectives were. But we should be concerned that part of this may go beyond reconnaissance. Their goal may be to put themselves in a position to have leverage over the new administration, like holding a gun to our head to deter us from acting to counter Putin,’ Suzanne Spaulding, who was the senior cyberofficial at the Homeland Security Department under Obama, said to the Times.
The breach was not detected by any government cyberdefense agencies – the military’s Cyber Command, the National Security Agency, or the Department of Homeland Security.
Instead it was found by private cybersecurity company FireEye.
‘This is looking much much worse than I first feared. The size of it keeps expanding. It’s clear the United States government missed it,’ Sen. Mark Warner of Virginia, the ranking member of the Senate Intelligence Committee, said.
‘And if FireEye had not come forward. I’m not sure we would be fully aware of it to this day,’ he added.
The Times report revealed the breach is broader than believed.
Initially it was estimated that the Russians only accessed a few dozen of the 18,000 government and private networks. But not it appears Russia gained access to as many as 250 networks.
The hack was managed from servers inside the US and ‘early warning’ sensors placed by Cyber Command and the National Security Agency inside foreign networks to detect potential attacks failed.
The government’s emphasis on defending the election may have diverted resources and attention to the protection of ‘supply chain’ software. Now private companies like FireEye and Microsoft say they were breached in the large supply chain attack.
In the attack the Russian hackers took advantage of the National Security’s Agency’s limits of authority by staging the hacks from servers inside the US and in some cases using computers in the same town or city as their victims.
Congress has not given NSA or Homeland Security any authority to enter or defend private sector networks.
The Russian hackers inserted themselves into the SolarWinds’ Orion update and used custom tools to avoid setting off the alarms of homeland security’s Einstein detection system used to catch malware.
Intelligence officials say It could be months, years even, before they understand the breadth of the hacking.
Source: Read Full Article