A cybersecurity adviser says he warned SolarWinds of a potential ‘catastrophic’ attack if the company didn’t amp up internal security measures and the firm’s move to Eastern Europe may have exposed it to the massive Russian hack.
In late December it was revealed that the sprawling cyber-espionage attack led by state-backed Russian hackers affected more than 250 federal agencies and private companies beginning as early as October 2019, but went undetected for months.
In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion.
Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’, according to a New York Times report published Saturday.
He said he gave a PowerPoint presentation to three SolarWinds executives urging them to install a cybersecurity senior director because he thought a major breach was inevitable, Bloomberg reported.
When his recommendations were ignored, he left the company a month later.
Staffers say the CEO of SolarWinds, which is based in Austin, Texas, cut security measure to save costs and the company moved several engineering offices to Eastern Europe.
But that move may have made the company vulnerable to the breach as some of the compromised SolarWinds software was engineered there and Russian intelligence operatives are deeply rooted in that region.
Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’. When his recommendations were ignored, he left the company a month later
In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion. SolarWinds headquarters in Austin, Texas above
Past and current employees SolarWinds had lackluster security measures in place. Chief Executive Kevin B. Thompson (above) cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010
DailyMail.com has reached out to Thornton-Trump for comment.
Though US officials say Russian was behind the hacking campaign, the Kremlin denies it.
Former and current SolarWinds staffers say the company was slow to prioritize security, even when its software was adopted by top cybersecurity companies and federal agencies.
SolarWinds only added on security in 2017 under the threat of penalty from a new European privacy law. Then it hired its first chief information officer and brought in a vice president of security architecture.
A reason, in part, why security was so relaxed was due to chief executive Kevin B. Thompson’s cuts.
SolarWinds had a history of weak security for its products, which made it an easy target, current and former employees and government investigators said to the Times.
Past and current employees say that Thompson, who was an accountant by training and a former chief financial officer, cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010.
But some of those measures may have jeopardized the company and put its customers at a greater risk for attack.
SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked.
SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked. A view of a SolarWinds office in the Czech Republic above
A view of a Solarwinds office in Krakow, Poland above
Some of the Orion software was also engineered there.
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
Department of State
Department of Homeland Security
National Institutes of Health
Department of Energy
National Nuclear Security Administration
Los Alamos National Laboratory
Federal Energy Regulatory Commission
Office of Secure Transportation
American investigators are focusing on whether the hack started at the Eastern Europe offices, where Russian intelligence operatives are deeply rooted.
When Thompson was asked about whether the company should have detected the breach, he avoided the question. He’s stepping down after 11 years at the helm.
The hack, believed to be an operation by Russia’s SVR intelligence service, impacted the Treasury, State, Commerce, Energy Departments and parts of the Pentagon – as well as SolarWinds’ clients like Cisco Systems and Deloitte.
Three weeks later after the hack was flagged, American officials are now scrambling to determine how the hack was pulled off without setting off any alarms.
At least 24 organizations across the US installed the software that had been exploited by hackers, a Wall Street Journal analysis of internet records has found.
Among those infected include: Tech companies Cisco Systems Inc., Intel Corp and Nvidia Corp; accounting firm Deloitte; software company VMware Inc; electronics maker Belkin International Inc; the California Department of State Hospitals; and Kent State University.
Security experts pointed that out that it took days for SolarWinds to stop offering clients compromised code on their websites.
SolarWinds said that it was a ‘victim of a highly-sophisiticated, complex and targeted cyberattack’ and it was working with law enforcement, and intelligence agencies to investigate.
A view of CEO Kevin Thompson ringing in the opening bell during the company’s initial public offeringo n the floor of the New York Stock Exchange on October 19, 2018
At least 24 organizations across the US installed the software that had been exploited by hackers, including accounting firm Deloitte
Kent State University in Ohio also downloaded the infected software, according to a Wall Street analysis of online records
Tech company Cisco Systems Inc. and the California Department of State Hospitals was also hacked
SolarWinds has not publicly addressed the possibility of an insider being involved in the cyber break
While the motive is not known, some believe it’s Russia’s bid to shake Washington DC three weeks before Biden’s inauguration date, and to gain leverage against the US before nuclear arms talks.
‘We still don’t know what Russia’s strategic objectives were. But we should be concerned that part of this may go beyond reconnaissance. Their goal may be to put themselves in a position to have leverage over the new administration, like holding a gun to our head to deter us from acting to counter Putin,’ Suzanne Spaulding, who was the senior cyberofficial at the Homeland Security Department under Obama, said to the Times.
SolarWinds timeline: Company stocks and when they discovered attack
March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’
SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have
November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares
December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds
December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given
December 8: FireEye announces hackers broke into its servers
December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021
December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company
December 13: The infiltration of Orion becomes public
The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’
The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted
The breach was not detected by any government cyberdefense agencies – the military’s Cyber Command, the National Security Agency, or the Department of Homeland Security.
Instead it was found by private cybersecurity company FireEye.
‘This is looking much much worse than I first feared. The size of it keeps expanding. It’s clear the United States government missed it,’ Sen. Mark Warner of Virginia, the ranking member of the Senate Intelligence Committee, said.
‘And if FireEye had not come forward. I’m not sure we would be fully aware of it to this day,’ he added.
The Times report revealed the breach is broader than believed.
Initially it was estimated that the Russians only accessed a few dozen of the 18,000 government and private networks. But not it appears Russia gained access to as many as 250 networks.
The hack was managed from servers inside the US and ‘early warning’ sensors placed by Cyber Command and the National Security Agency inside foreign networks to detect potential attacks failed.
The government’s emphasis on defending the election may have diverted resources and attention to the protection of ‘supply chain’ software. Now private companies like FireEye and Microsoft say they were breached in the large supply chain attack.
In the attack the Russian hackers took advantage of the National Security’s Agency’s limits of authority by staging the hacks from servers inside the US and in some cases using computers in the same town or city as their victims.
Congress has not given NSA or Homeland Security any authority to enter or defend private sector networks.
The Russian hackers inserted themselves into the SolarWinds’ Orion update and used custom tools to avoid setting off the alarms of homeland security’s Einstein detection system used to catch malware.
Intelligence officials say It could be months, years even, before they understand the breadth of the hacking.