New details into the notorious SolarWinds nation-state attack and its fallout were provided by Sudhakar Ramakrishna, CEO of SolarWinds, during a keynote session on Day 3 of the virtual RSA Conference 2021, which was hosted by Laura Koetzle, VP and group director at Forrester.
This included the revelation that the attackers may have accessed the system as early as January 2019, and an expression of remorse for comments made during his congressional appearance about the attack in February 2021.
Starting the session, Ramakrishna explained that he was first informed of the attacks while sitting down to his birthday dinner on December 12, 2020, after receiving a phone call from the company’s legal officer. Ramakrishna was at the time still waiting to take up the position of CEO at SolarWinds on January 4, 2021.
Koetzle asked Ramakrishna whether he ever considered backing out of taking the role as more details about the scale of the incident emerged in the following days. While a number of friends had advised him to do so, Ramakrishna said that “he decided to persevere with this opportunity” after speaking to the SolarWinds chairman, Bill Bock. He was given continuity and support from the previous CEO, Kevin Thompson, as he began the role in January, which helped him enact a fast response to the event.
With SolarWinds believing as many as 18,000 of its customers had been affected by the breach, as that was the number that had downloaded the malicious update, Ramakrishna explained that in the immediate aftermath, the SolarWinds security team looked to contact everyone possible to try to address their concerns and questions.
He was also asked about how SolarWinds is supporting its customers now. Ramakrishna explained it was a step-by-step approach. “What started out as a reactive measure turned into learning about and addressing issues, and at the foundation of what we’re trying to do is transparency,” he said, adding that the company had worked with its global partners to develop the Orion Assistant Program. This offers extra support to those customers that do not have the resources to upgrade or rebuild, and “in many cases [involved] working side by side with them as they completed their upgrades.”
“The foundation of what we’re trying to do is transparency”
Ramakrishna noted that his previous experience in dealing with security incidents as CEO at Pulse Secure has helped him deal with the fallout of the SolarWinds attacks. In these prior incidents, the response “was rooted in being transparent, being communicative and updating everybody on progress, even at times when you do not have all the details in place.”
The discussion then moved on to the details that have subsequently been discovered about the attack. When asked exactly how the attackers were able to stay undetected for such a long period of time, Ramakrishna emphasized the sophisticated nature of the perpetrators. “The tradecraft that the attackers used was extremely sophisticated where they did everything possible to hide in plain sight,” he explained, adding that “they were able to cover their tracks at every step of the way. Given the resources of a nation-state, it was very difficult for one company . . . to uncover.”
Interestingly, Ramakrishna said that SolarWinds has since “stumbled across” some old configurations of code, which enabled it to figure out what the attackers did. After assessing “hundreds of terabytes of data and thousands of virtual build systems,” it was discovered “that the attackers may have been in the environment as early as January 2019,” which is much earlier than initially thought. “They were doing very early reconnaissance activities in January 2019, which explains what they were able to do in September/October 2019,” he added.
When reflecting on his, and SolarWinds’, response to the attacks, Ramakrishna expressed regret for comments he made during his testimony to Congress in February 2021, which concerned the exposure of a weak FTP password by an intern at the company back in 2017. He outlined: “I have long held a belief system and an attitude that you never flog failures – you want your employees, including interns, to make mistakes and learn from those mistakes . . . so what happened at the congressional hearing where we attributed it to an intern was not appropriate and is not what we are about.”
Finally, Ramakrishna revealed that another way the company’s response could have been improved was to have coordinated a better media response, stating it was not prepared for being thrust into the limelight in the way it was. “I wish we had more resources, more proactive outreach. We’ve learned from that and we continue to grow our communications team,” he outlined.