SolarWinds was warned about potential cyber attack, cost-saving move to Europe may have exposed firm


A cybersecurity adviser says he warned SolarWinds of a potential ‘catastrophic’ attack if the company didn’t amp up internal security measures and the firm’s move to Eastern Europe may have exposed it to the massive Russian hack.    

In late December it was revealed that the sprawling cyber-espionage attack led by state-backed Russian hackers affected more than 250 federal agencies and private companies beginning as early as October 2019, but went undetected for months. 

In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion.  

Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’, according to a New York Times report published Saturday.

He said he gave a PowerPoint presentation to three SolarWinds executives urging them to install a cybersecurity senior director because he thought a major breach was inevitable, Bloomberg reported.   

When his recommendations were ignored, he left the company a month later. 

Staffers say the CEO of SolarWinds, which is based in Austin, Texas, cut security measure to save costs and the company moved several engineering offices to Eastern Europe. 

But that move may have made the company vulnerable to the breach as some of the compromised SolarWinds software was engineered there and Russian intelligence operatives are deeply rooted in that region.

When his recommendations were ignored, he left the company a month later

Ian Thornton-Trump, a former cybersecurity adviser at SolarWinds, said he urged management in 2017 to take a more aggressive approach with its internal security, warning that a cybersecurity episode would be ‘catastrophic’. When his recommendations were ignored, he left the company a month later

In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds' premier software product, Orion. SolarWinds headquarters in Austin, Texas above

In the breach, hackers gained access to government and private networks by inserting malicious code recent versions of SolarWinds’ premier software product, Orion. SolarWinds headquarters in Austin, Texas above

Past and current employees SolarWinds had lackluster security measures in place. Chief Executive Kevin B. Thompson (above) cut common security practices to save costs and his approach almost tripled SolarWinds' annual profit margins to more than $453million in 2019 from $152milliom in 2010

Past and current employees SolarWinds had lackluster security measures in place. Chief Executive Kevin B. Thompson (above) cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010

DailyMail.com has reached out to Thornton-Trump for comment.

Though US officials say Russian was behind the hacking campaign, the Kremlin denies it. 

Former and current SolarWinds staffers say the company was slow to prioritize security, even when its software was adopted by top cybersecurity companies and federal agencies. 

SolarWinds only added on security in 2017 under the threat of penalty from a new European privacy law. Then it hired its first chief information officer and brought in a vice president of security architecture.  

A reason, in part, why security was so relaxed was due to chief executive Kevin B. Thompson’s cuts. 

Past and current employees say that Thompson, who was formerly an accountant and a former chief financial officer, cut common security practices to save costs and his approach almost tripled SolarWinds’ annual profit margins to more than $453million in 2019 from $152milliom in 2010. 

But some of those measures may have jeopardized the company and put its customers at a greater risk for attack.

SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked.

SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked. A view of a SolarWinds office in the Czech Republic above

SolarWinds also moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had access to the Orion network management software that was hacked. A view of a SolarWinds office in the Czech Republic above

A view of a Solarwinds office in Krakow, Poland above

A view of a Solarwinds office in Krakow, Poland above

Some of the Orion software was also engineered there. 

American investigators are focusing on whether the hack started at the Eastern Europe offices, where Russian intelligence operatives are deeply rooted.  

GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR

Pentagon

Treasury

FBI 

Department of State 

Department of Homeland Security 

Commerce Department

National Institutes of Health

Department of Energy

National Nuclear Security Administration 

Los Alamos National Laboratory 

Federal Energy Regulatory Commission

Office of Secure Transportation 

Initially officials said the hack began as early as March this year but SolarWinds have since revealed they traced the hackers back to October 2019. The spies were were believed to have tested their ability to insert the malicious code into their system on October 10, 2019.

When Thompson was asked about whether the company should have detected the breach, he avoided the question. He’s stepping down after 11 years at the helm. 

The hack, believed to be an operation by Russia’s SVR intelligence service, impacted the Treasury, State, Commerce, Energy Departments and parts of the Pentagon – as well as SolarWinds’ clients like Cisco Systems and Deloitte.  

Three weeks later after the hack was flagged, American officials are now scrambling to determine how the hack was pulled off without setting off any alarms.   

At least 24 organizations across the US installed the software that had been exploited by hackers, a Wall Street Journal analysis of internet records has found. 

Among those infected include: Tech companies Cisco Systems Inc., Intel Corp and Nvidia Corp; accounting firm Deloitte; software company VMware Inc; electronics maker Belkin International Inc; the California Department of State Hospitals; and Kent State University.  

Security experts pointed that out that it took days for SolarWinds to stop offering clients compromised code on their websites. 

A SolarWinds spokesperson shared with DailyMail.com that the company was ‘the victim of a highly-sophisticated, complex and targeted cyberattack.’

‘We are collaborating closely with federal law enforcement and intelligence agencies to investigate the full scope of this unprecedented attack, including whether it was backed by the resources of a foreign government. We are also working with industry-leading third-party cybersecurity experts to assist in investigating, mitigating and remediating this attack.’  

SolarWinds was one of several supply chain vendors Russian targeted in the attack and the cybersecurity arm of the Department of Homeland believe hackers worked through other channels as well. 

A view of CEO Kevin Thompson ringing in the opening bell during the company's initial public offeringo n the floor of the New York Stock Exchange on October 19, 2018

A view of CEO Kevin Thompson ringing in the opening bell during the company’s initial public offeringo n the floor of the New York Stock Exchange on October 19, 2018

At least 24 organizations across the US installed the software that had been exploited by hackers, including accounting firm Deloitte

At least 24 organizations across the US installed the software that had been exploited by hackers, including accounting firm Deloitte

Kent State University in Ohio also downloaded the infected software, according to a Wall Street analysis of online records

Kent State University in Ohio also downloaded the infected software, according to a Wall Street analysis of online records 

Tech company Cisco Systems Inc.

California Department of State Hospitals

Tech company Cisco Systems Inc. and the California Department of State Hospitals was also hacked

SolarWinds has not publicly addressed the possibility of an insider being involved in the cyber breach.

The hackers behind the SolarWinds breach also broke into Microsoft’s network and accessed some of its source code, the company said Thursday. 

Source code – the underlying set of instructions that run a piece of software or operating system – is typically among a technology company’s most closely guarded secrets and Microsoft has historically been particularly careful about protecting it. 

It is not clear how much or what parts of Microsoft’s source code repositories the hackers were able to access, but the disclosure suggests that the hackers who used software company SolarWinds as a springboard to break into sensitive US government networks also had an interest in discovering the inner workings of Microsoft products as well.   

The US and private sector investigators have spent the holidays combing through logs to try to understand whether their data has been stolen or modified.

Modifying source code – which Microsoft said the hackers did not do – could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. 

But experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services 

‘The source code is the architectural blueprint of how the software is built,’ Andrew Fife of Israel-based Cycode, a source code protection company said.

‘If you have the blueprint, it’s far easier to engineer attacks,’ he added.  

SolarWinds timeline: Company stocks and when they discovered attack 

March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’

SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have

November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares

December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds

December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given 

December 8: FireEye announces hackers broke into its servers

December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021 

December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company  

December 13: The infiltration of Orion becomes public

The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’

The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted

While the motive is not known, some believe it’s Russia’s bid to shake Washington DC three weeks before Biden’s inauguration date, and to gain leverage against the US before nuclear arms talks.

‘We still don’t know what Russia’s strategic objectives were. But we should be concerned that part of this may go beyond reconnaissance. Their goal may be to put themselves in a position to have leverage over the new administration, like holding a gun to our head to deter us from acting to counter Putin,’ Suzanne Spaulding, who was the senior cyberofficial at the Homeland Security Department under Obama, said to the Times.

The breach was not detected by any government cyberdefense agencies – the military’s Cyber Command, the National Security Agency, or the Department of Homeland Security.

Instead it was found by private cybersecurity company FireEye.

‘This is looking much much worse than I first feared. The size of it keeps expanding. It’s clear the United States government missed it,’ Sen. Mark Warner of Virginia, the ranking member of the Senate Intelligence Committee, said.

‘And if FireEye had not come forward. I’m not sure we would be fully aware of it to this day,’ he added.

The Times report revealed the breach is broader than believed.

Initially it was estimated that the Russians only accessed a few dozen of the 18,000 government and private networks. But not it appears Russia gained access to as many as 250 networks.

The hack was managed from servers inside the US and ‘early warning’ sensors placed by Cyber Command and the National Security Agency inside foreign networks to detect potential attacks failed.

The government’s emphasis on defending the election may have diverted resources and attention to the protection of ‘supply chain’ software. Now private companies like FireEye and Microsoft say they were breached in the large supply chain attack.

In the attack the Russian hackers took advantage of the National Security’s Agency’s limits of authority by staging the hacks from servers inside the US and in some cases using computers in the same town or city as their victims.

Congress has not given NSA or Homeland Security any authority to enter or defend private sector networks.

The Russian hackers inserted themselves into the SolarWinds’ Orion update and used custom tools to avoid setting off the alarms of homeland security’s Einstein detection system used to catch malware.

Intelligence officials say It could be months, years even, before they understand the breadth of the hacking.

Read more at DailyMail.co.uk