Earlier this week, news of a massive hacking operation — likely Russia-sponsored — rippled through the tech community.
At the center of the storm is SolarWinds, a $5B+ IT company that manages the network infrastructure for **checks notes** everyone:
- 425 of the US Fortune 500
- All 10 of the top US telecom companies
- Key US government bodies: Pentagon, State, Treasury, Commerce, NSA, DOJ, etc.
18k SolarWinds customers installed a malicious upgrade…
… sometime between March and June.
According to ThreatPost, SolarWinds was the “perfect target” because its network management software (Orion) has full visibility into an organization’s network.
SolarWinds made some comically bad mistakes in securing its critical tools:
- Passwords: “solarwinds123” was one password for access to update servers
- Antivirus: to make the installation process easier, the company advised customers to disable antivirus scanning
It’s not clear what was taken
But with the target list and level of access, the data — which we can only assume is more than family photos — is incredibly valuable.
Security analyst Brian Krebs writes that this breach could be an “existential event” for SolarWinds depending on how customers react.
The aforementioned Orion product accounts for ~45% of SolarWinds’ revenue, and lawsuits are almost certain.
SolarWinds’ stock has shed 20%+ this week
Additional losses will be dependent on how much the company knew. Per Krebs, researchers have told SolarWinds about its vulnerabilities for years (in fact, another tech firm — FireEye — broke the hacking news).
Further, in what can only be described as “interesting,” key SolarWinds investors unloaded $286m of stock prior to the hack disclosure.
Facebook’s former security chief Alex Stamos believes government-level change is needed to “create a mechanism to handle cyberattacks the same way [the US] reacts to failures in other complex industries.”
His suggestion: the creation of a cyber equivalent to the National Transportation Safety Board to find root causes and make recommendations on future prevention (e.g., literally any other password).