Move to protect internal systems among steps taken by company to respond to massive cybersecurity attack
SolarWinds, which is at the center of the massive cyberattack on federal government agencies and cybersecurity vendor FireEye, is employing endpoint protection technology from another security firm to ensure its internal systems are secure, the company said in a Dec. 17 filing with the Securities and Exchange Commission (SEC).
The Lowdown: The use of CrowdStrike’s Falcon endpoint protection platform is one in a series of steps that SolarWinds is taking to address the unfolding cybersecurity attack that appears to have been launched through malicious code inserted most likely by Russian intelligence agents into updates of the company’s Orion network management software.
The Details: FireEye announced the detection of the malware – dubbed Sunburst – less than a week ago and the extent of the cyberattack in the United States and elsewhere continues to widen. A growing number of U.S. government agencies – including the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Agency (CISA), the Treasury, State, Energy, and Commerce Departments, the Pentagon, the Postal Service, and the National Institutes of Health (NIH) – all use the Orion platform and were compromised.
FireEye also was attacked and a Reuters report citing unnamed people familiar with the situation said Microsoft, another Orion user, also found malicious code in its systems.
SolarWinds earlier in the week said the attack could have impacted as many as 18,000 customers. The vulnerability has been found in updates to Orion delivered between March and June, though SolarWinds officials said the company continues to look at products outside of Orion to see if the malware has compromised other software. So far, no other products have been impacted, they told the SEC.
Along with the use of CrowdStrike’s Falcon platform, other information the Austin, Texas-based company outlined in the SEC filing includes:
> The vulnerability wasn’t evident in the Orion source code but apparently was inserted during the software build process.
> Hotfix updates that closed the vulnerability when implemented were quickly sent to impacted customers. The updates also enabled the Orion platform to meet U.S. federal and state requirements and the company is helping users quickly complete their updates. However, the CISA in a directive this week ordered federal agencies to hold off using patches to reinstall Orion until all compromised accounts have been removed from the software and said that they should treat hosts monitored by Orion as compromised.
> SolarWinds is working with third-party cybersecurity experts to help with the work and is collaborating with partners, vendors, law enforcement offices, and intelligence agencies around the world.
In a blog post this week, Microsoft President Brad Smith said information from the company’s Defender antivirus software found that a small percentage (about 40) of the 18,000 known organizations that downloaded the compromised Orion updates were hit with a follow-on attack that included a second-stage payload. Smith also wrote that while the United States appears to be the top target of the attack, the malicious code also was found in such countries as Belgium, Spain, Canada, Mexico, and the United Kingdom.
He also called for closer collaboration between governments and the tech industry to develop a strong global cybersecurity response, adding that “this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face.”
The Impact: The attack, believed to have been launched by a Russian intelligence service known as the SVR, is being called by a growing number of cybersecurity experts the largest in U.S. history, even as the extent of the attack is still being uncovered. The CISA on Dec. 17 said the attack poses a “grave risk” to federal, state, and local governments and private companies and that it’s still ongoing.
Thousands of private companies could’ve been exposed. The FBI, DHS, and the Director of National Intelligence Office have created a unified team to coordinate the response to the attack.
SolarWinds, which is bringing on a new CEO next month and is evaluating whether to spin off its MSP business, saw its stock price plunge as much as 25% this week.
The Buzz: “We are solely focused on our customers and the industry we serve,” SolarWinds executives wrote in the SEC filing. “Our top priority has been to take all steps necessary to ensure that our and our customers’ environments are secure. We are taking extraordinary measures to accomplish this goal.”
“It’s critical that we step back and assess the significance of these attacks in their full context,” Microsoft’s Smith wrote. “This is not ‘espionage as usual,’ even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency. While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection irrespective of the governments they live under.”