WASHINGTON (Reuters) – On an earnings call two months ago, Kevin Thompson, CEO of SolarWinds, shared how far the company had gone during his 11 years at the helm.
There was no database or IT deployment model for which his Austin, Texas-based company did not offer any degree of monitoring or management, he told analysts in the Oct. 27 interview.
“We don’t think anyone else in the market is really close to the breadth of coverage we have,” he said. “We manage everyone’s network equipment.”
Now that dominance has become an issue – an example of how the workhorse software that helps organizations keep together can become toxic when undermined by sophisticated hackers.
On Monday, SolarWinds confirmed that Orion – its flagship network management software – had served as the unwitting conduit for an extensive international cyber-espionage operation. The hackers added malicious code to Orion software updates sent to nearly 18,000 customers.
And while the number of organizations affected is considered much more modest, the hackers have already suppressed their access to the resulting breaches at the US Treasury and the Department of Commerce.
Three people familiar with the investigation have told Reuters that Russia is a top suspect, although others familiar with the investigation have said it is too early to tell.
A SolarWinds representative, Ryan Toohey, said he would not make executives available for comment. He has not provided official answers to questions sent via email.
In a statement released Sunday, the company said, “We are committed to implementing and maintaining appropriate administrative, physical and technical safeguards, security processes, procedures and standards designed to protect our customers.”
Cybersecurity experts are still struggling to understand the extent of the damage.
The malicious updates – sent between March and June as America pushed to weather the first wave of coronavirus infections – were “perfect timing for a perfect storm,” said Kim Peretti, who is co-chair of the Atlanta-based law firm. Alston & Bird’s. Cyber Security Preparedness and Response Team.
It would be difficult to estimate the damage, she said.
“We may not know the true impact for many months, if not more, or even never,” she said.
The impact on SolarWinds was more direct. US officials ordered anyone running Orion to disconnect immediately. The company’s stock fell more than 23% from $ 23.50 on Friday – before Reuters released news of the breach – to $ 18.06 on Tuesday.
SolarWinds’ security has now been re-examined.
In an unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, said two researchers who had access to those forums separately.
One of those who claimed access through the Exploit forum in 2017 was known as “fxmsp” and is being sought by the FBI “for involvement in several high profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s customers, including US law enforcement agencies.
Security researcher Vinoth Kumar told Reuters that last year he warned the company that anyone could access SolarWinds’s update server by using the password “solarwinds123”.
“This could easily have been done by any attacker,” said Kumar.
Neither the password nor the stolen access is considered the most likely source of the current burglary, researchers said.
Others – including Kyle Hanslovan, the co-founder of Maryland-based cybersecurity company Huntress – noted that days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.
The company has long floated the idea of a spin-off from its managed service provider business and on December 9 announced that Thompson would be replaced by Sudhakar Ramakrishna, the former CEO of Pulse Secure. Three weeks ago, SolarWinds posted a vacancy for a new vice president for security; the position is still listed as open.
Thompson and Ramakrishna could not be reached for comment.
Reporting by Raphael Satter and Christopher Bing. Jack Stubbs delivered a report from London; Editing by Lisa Shumaker