Bloomberg Tax
Daily Tax Report International
LinkedIn

SolarWinds Staff Warned About Security Holes Before Russia Hack

Oct. 31, 2023, 3:03 PM UTC
Jamie Tarabay
Jamie Tarabay
Bloomberg News
Andrew Martin
Andrew Martin
Bloomberg Editorial

Well before Russia’s audacious cyberattack that exploited SolarWinds Corp.’s software was made public, several employees allegedly raised red flags about holes in the company’s security. Their warnings, documented in a lawsuit filed by US regulators, raise questions about whether the Texas-based company could have done more to prevent an attack that infiltrated the US government and major corporations.

In November 2020, a month before the attack was revealed, a senior security manager wrote in an instant message: “We’re so far from being a security minded company. Every time I hear our head geeks talking about security I want to throw up.” That same month, a network engineer bemoaned the amount of security problems. “Can’t really figure out how to unf**k this situation. Not good.”

On Monday, the US Securities and Exchange Commission sued SolarWinds, accusing the company of touting its cybersecurity practices publicly even as its own employees fretted about them. The regulator also took the unprecedented step of naming SolarWinds Chief Information Security Officer Tim Brown as a defendant, an action that may chill fellow professionals who complain privately they have far less sway over their employers than outsiders think.

Sign up for the Cyber Bulletin newsletter
for exclusive coverage inside the shadow world of hackers and cyber-espionage — and how businesses are playing defense.

The lawsuit details security flaws in SolarWinds’s access management, password protection (the default password on one product was “password”) and software development, including with its popular Orion platform, which was ultimately compromised by Russian state hackers. SolarWinds provides network monitoring software that thousands of companies and many government agencies use to manage their IT infrastructure, the agency said.

SolarWinds was disappointed by the SEC’s “unfounded charges” and “deeply concerned this action will put our national security at risk,” the company said in a statement. “The SEC’s determination to manufacture a claim against us and our CISO is another example of the agency’s overreach and should alarm all public companies and committed cybersecurity professionals across the country.”

Alec Koch, a lawyer for Brown, said his client “worked tirelessly and responsibly to continuously improve the company’s cybersecurity posture throughout his time at SolarWinds, and we look forward to defending his reputation and correcting the inaccuracies in the SEC’s complaint.”

Russia has previously denied involvement.

The Facts and Mystery About Russia’s SolarWinds Hack: QuickTake

The SEC’s lawsuit comes as the agency imposes tougher new cybersecurity standards on public companies, and as other sectors of the US government grapple with how to make companies adopt tougher IT defenses against relentless cyberattacks by criminal groups and an array of foreign adversaries.

Software companies are “beginning to understand that final goods providers are going to be held liable for the performance of their product,” said Mark Montgomery, a retired Navy admiral who heads the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a Washington think-tank.

Read More: SEC Sets 4-Day Deadline for Public Companies to Report Hacks

The SEC lawsuit contains “damning claims,” said Michael Coates, CISO at CoinList and a former security head at Twitter. “That’s a big lesson for CISOs not to sugar-coat what they’re seeing, but to be incredibly transparent in all engagements, both public and private.”

Although the hack was disclosed in December 2020, the hackers breached SolarWinds networks well before that. In January 2019, hackers slipped into SolarWinds systems through a virtual private network which allowed access from phones or laptops not managed by the company, according to the lawsuit.

Months earlier, a network engineer identified the flaw in the company’s VPN network, which allowed remote access from non-company devices, and repeatedly flagged it to superiors. The engineer warned an attacker “can basically do whatever without us detecting it until it’s too late,” according to the SEC.

Once in, they moved between “software development zones,” tampered with privileges, disabled anti-virus software and exfiltrated about 7 million emails from more than 70 employees, according to the agency. They eventually inserted malicious code into an update for SolarWinds’ popular Orion software. Customers who downloaded the update inadvertently installed a digital backdoor in their own networks, allowing further intrusions, the SEC alleged.

Ultimately, nine federal agencies and about 100 companies were further compromised in the hacking campaign.

Shortly after the attack was revealed, Bloomberg News reported that a former security adviser had warned SolarWinds management about lax security in 2017 and laid out a plan to improve it that was ultimately ignored.

Read More: SolarWinds Adviser Warned of Lax Security Years Before Hack

A similar pattern emerged over the next few years, the SEC lawsuit alleged.

In 2020, for instance, Brown, then vice president of security and architecture, had learned about increasing cyberattacks involving Orion and other SolarWinds products, according to the lawsuit. That included attacks against two Orion customers, a US government agency in May 2020 and a cybersecurity firm that October. Neither firm was named in the complaint, but Wired has previously identified the government agency as the Justice Department.

Brown — who was named CISO of the year by the Globee Cybersecurity Awards in 2023 — and his colleagues recognized similarities between the two attacks. But when employees of the cybersecurity company asked SolarWinds if they had noticed similar activity, a SolarWinds employee said they hadn’t, according to the lawsuit. The person then messaged a colleague: “Well I just lied.”

Read More: SolarWinds Believes Russian Group Took Data During Cyber-Attack

Another cybersecurity company discovered in December 2020 that it too had been hacked through SolarWinds’ Orion platform, according to the lawsuit. The cybersecurity firm wasn’t named, but that month, FireEye Inc. said it discovered the sprawling hacking campaign involving SolarWinds while investigating a breach of its own network.

Brown recognized that the malicious code in that attack was used in earlier ones, according to the lawsuit. But when SolarWinds revealed the attack to investors a few days later in a regulatory filing, it omitted any mention of the prior attacks.

“Those omissions made the statements made, in light of the circumstances, misleading,” the lawsuit alleges.

--With assistance from Kartikay Mehrotra and Austin Weinstein.

To contact the reporters on this story:
Jamie Tarabay in Washington at jtarabay2@bloomberg.net;
Andrew Martin in New York at amartin146@bloomberg.net

To contact the editors responsible for this story:
Lynn Doan at ldoan6@bloomberg.net

Molly Schuetz, Edwin Chan

© 2023 Bloomberg L.P. All rights reserved. Used with permission.

Learn more about Bloomberg Tax or Log In to keep reading:

See Breaking News in Context

From research to software to news, find what you need to stay ahead.

Already a subscriber?

Log in to keep reading or access research tools and resources.