Bloomberg Businessweek - USA (2020-12-21)

17

ILLUSTRATION

BY

WENKAI

MAO.

DATA:

KANTAR

GROUP

(LEFT),

COMPANY

FILINGS

(RIGHT)

◼ TECHNOLOGY Bloomberg Businessweek December 21, 2020

● A major breach exploited

a vulnerability in a widely used

product made by SolarWinds

When Hackers Attack

Ever yone’s IT Provider

SolarWinds Corp., the company at the center of

themostsprawlingcyberattackinrecentmemory,

boastsonitsLinkedInpagethatit is “Everybody’s

IT.”Thecompanyclaimsabout300,000customers,

includinggovernmentagenciesintheU.S.and

Europe,everybranchoftheU.S.military,andfour­

fifths of the Fortune 500.

The downside of that success became appar­

ent on Dec. 13, when news broke that attackers sus­

pected to be linked to the Russian government had

hacked into the U.S. Department of Commerce.

Reuters reported the departments of Homeland

Security and Treasury were also breached.

FireEye Inc., a prominent cybersecurity firm,

first discovered the SolarWinds connection when

investigating an attack on its own systems that

it had disclosed several days earlier. After pick­

ing through tens of thousands of lines of code,

researchers at FireEye noticed a vulnerability with

SolarWinds technology it was using and notified

the company and law enforcement. SolarWinds

has since said it believes its products could have

been used to compromise the servers of as many

as 18,000 of its customers.

The scope of the intrusion reveals the efficiency

of supply chain attacks, operations where hackers

break into their victims’ networks by exploiting

flaws in commonly used products. It also raises the

question of whether thousands of critical organiza­

tions should all share a single IT provider, a prac­

tice that could render many of their other security

measures moot if a single weak point is exploited.

Several thousand people are in charge of IT

management at the world’s largest corporations

and government agencies, and they regularly

swap notes about what products they’re com­

fortable with, so that those companies that do

gain a foothold can become ubiquitous, accord­

ing to Alex Stamos, former Facebook chief secu­

rity officer and director of the Stanford Internet

Observatory, a research center. It’s seen as low

risk to pick the industry’s default option. “There

are a lot of network effects at the really high end,”

says Stamos. “Once one of these companies gets

entrenched, it is very difficult to displace them.”

SolarWinds is the No. 3 maker of IT operations

software, behind Splunk Inc. and IBM, according

to data provided by Gartner Inc. Brothers David

and Donald Yonce founded the company in Tulsa

in 1999. The company moved to Austin, went public

in 2009, and was acquired by private equity firms

Silver Lake and Thoma Bravo LLC in 2015. It went

public again two years ago.

The product at the center of the recent hack

is called Orion, a powerful monitoring tool that

allows systems administrators to see the status of

their networks at a glance. Orion also has privileged

access to sensitive parts of the network.

Hackers penetrated Orion’s update system by

introducing malicious code disguised as Orion

updates, according to blog posts by FireEye and

Microsoft Corp. The malicious vulnerability existed

in updates from March to June, SolarWinds said.

The hacking tool embedded in the update stored

stolen data within the Orion software to evade

detection, according to FireEye, allowing hackers

to snoop on a company’s network while appear­

ing to be legitimate traffic. They could then use

that access to pose as authorized users on the net­

work and gain entry to even more sensitive data.

“SolarWindshasbeenadvisedthatthisincident

waslikelytheresultofa highlysophisticated,tar­

geted,andmanualsupplychainattackbyanout­

sidenationstate,”thecompanysaidina statement

totheU.S.SecuritiesandExchangeCommission.

APT29,a hackinggrouplinkedtotheRussiangov­

ernment,is suspectedofbeingbehindthebreach.

TheRussianEmbassyhasdeniedinvolvement.

Thefullextentofthedamagewon’tbeclear

immediately,if ever.Thenumberofvictimsis

likelytoclimbascompaniesandgovernments

combtheirsystemsfortracesofthehackers.The

attackersmostlikelyprioritizedthemostvaluable

intelligencetargetsfirst,sotheywouldn’thave

hadtimetopenetrateeverySolarWindscustomer.

Theynowhaveanincentivetoscrambletoexploit

asmanyvulnerabilitiesastheycan.“Onceyou’re

discovered,that’swhenyoustarttopullevery­

thingyoucan,”saysBenJohnson,chieftechnol­

ogyofficerofObsidianSecurity.“It’sgoingtobea

crazyweek.”�WilliamTurton

THE BOTTOM LINE A vulnerability at SolarWinds may have been

used to compromise the servers of as many as 18,000 clients,

rendering their other cybersecurity protections moot.

▼ SolarWinds revenue

throughtheninemonths

endedSept.30, 2020

Orionproducts

Other

$411m $343m