SolarWinds CEO: Attack Began Much Earlier Than Previously Thought

Investigation shows threat actors began probing SolarWinds network in January 2019, according to Sudhakar Ramakrishna.

RSA CONFERENCE 2021 — The attack on SolarWinds that resulted in malware being distributed to thousands of the companys customers started a full eight months earlier than previously thought.
At a keynote session at the RSA Conference today, SolarWinds CEO Sudhakar Ramakrishna said the companys continuing investigation of the breach shows the nation-state group behind it began probing SolarWinds network as early as January 2019. The breach remained undetected until December 2020, or nearly two full years after the initial malicious activity.
Previously, it was widely believed that attackers first gained access to SolarWinds systems in October 2019.
According to Ramakrishna, breach investigators assessed hundreds of terabytes of data and thousands of virtual build systems before stumbling about some old code configuration that pointed to exactly what the attackers did to gain initial access. Ramakrishna did not offer any details on what specifically that might have been.
But at a congressional hearing earlier this year, the former CEO of SolarWinds, Kevin Thompson,
blamed
an intern for publicly posting a password to a file transfer server on GitHub. SolarWinds has since clarified that the password--or its public posting--had absolutely nothing to do with the breach.
Ramakrishna expressed regret over those comments.
What happened at the congressional hearing where we attributed it to an intern is not what we are about, he noted. We have learned from that.
Security researchers and industry experts have widely described the
SolarWinds breach
as one of the most significant security incidents in recent years, both for its scope and sophistication. Details about the breach that have been released so far indicate the attack began when threat actors gained initial access to SolarWinds build environment and planted malware called Sunspot into a single source-code file. They used the malware to insert a backdoor called Sunburst/Solarigate into builds of SolarWinds Orion network management product, which were then digitally signed and sent out to 18,000 SolarWinds customers.
A small subset of those victims — from government and the private sector — were later subjected to further intrusions and cyber espionage activity aimed at extracting sensitive data. The victims of data theft included several technology companies, such as
Microsoft
and
FireEye
. The attack and the extraordinary operational stealth with which it was carried out has sparked widespread concern about the vulnerability of US companies and government agencies to sophisticated nation-state actors.
US authorities have attributed the attack to a threat group working on behalf of Russias foreign intelligence services group. FireEye, one of the security vendors that has been investigating the breach, is tracking the group as
UNC2542
.
In his keynote, Ramakrishna said the tradecraft the attackers used to breach SolarWinds network and remain hidden on it for nearly two years was extremely sophisticated.
They did everything possible to hide in plain sight, he said. Given the amount of time they spent and given the deliberate-ness [of] their effort, they were able to cover the fingerprints and their tracks at every step of the way.
Given the resources the attackers had, it was very difficult for a company like SolarWinds to uncover the breach, the CEO said.
In a
panel discussion
in March, Ramakrishna described SolarWinds as looking into possibly running two or even three parallel software build systems to mitigate the risk of something similar happening again. The company has also vested CISO Tim Brown the autonomy to stop releases from going into production simply for time-to-market reason. In addition, SolarWinds has established a new cybersecurity committee at the board level to ensure a top-down approach to security at the company.
In comment today at the keynote, Ramakrishna defended Browns record before and after the breach.
I dont like to flog failures, so to speak, he said. It is not even clear that this failure is one persons fault. When a nation-state attacks your network, it is impossible for one person to be able to thwart it or take full responsibility for it.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
SolarWinds CEO: Attack Began Much Earlier Than Previously Thought