SolarWinds CEO extends hack timeline, rethinks intern blame

Dive Brief:

The nation-state threat actors who targeted SolarWinds began doing reconnaissance as early as January 2019, eight months earlier than previously reported, said SolarWinds CEO Sudhakar Ramakrishna, during a keynote address at the virtual RSA Conference Wednesday.
Ramakrishna walked back the company's earlier assertions and expressed regret for blaming an intern for setting the company's widely panned "solarwinds123" as a general password. "I have long held a belief system and an attitude that you never flog failures," he said. "You want your employees, including interns, to make mistakes and learn from those mistakes and together we become better."
Ramakrishna accepted the SolarWinds CEO position in early December 2020, just days before learning about the nation-state attack. Many of his supporters urged him to consider walking away from the CEO position, Ramakrishna said. "I felt that continuity and urgency was super important in this situation," he said.

Dive Insight:

Almost six months after the compromise was uncovered, Ramakrishna opened the curtain on new information and what lessons the company has learned, as part of a conversation with Forrester VP and Group Director Laura Koetzle.

Investigators established the new attack timeline after they stumbled on code that showed the attackers, which federal officials have attributed to Russia's SVR, were embedded in the system since the beginning of 2019, he said. Previously known evidence showed the attackers had embedded code in the system in September 2019.

SolarWinds has been assessing hundreds of terabytes of data and thousands of build systems, he said, and they found evidence the attackers were doing surveillance much earlier than they initially thought.

"The tradecraft that the attackers used was extremely well done and extremely sophisticated where they did everything possible to hide in plain sight," Ramakrishna said.

Ramakrishna was announced as the president and CEO of SolarWinds on Dec. 9, 2020, a move that would take effect Jan. 4, 2021. However he would not learn about the backdoor intrusion until Dec. 12, the night of his birthday. Jason Bliss, EVP and general counsel at the time — now EVP and chief administrative officer at SolarWinds — contacted Ramakrishna to inform him of the intrusion just as Ramakrishna was sitting down to his birthday dinner.

"Jason, if you know him, is a no drama guy, he's very plain spoken," Ramakrishna said. "He said this is what we found out today. FireEye reported that there was a backdoor into the Orion platform."

Bliss did not know a lot of the details at the time, and the idea of a supply chain backdoor was not something they fully understood, Ramakrishna said. Ramakrishna told Bliss it was quite ironic that he would call about a security incident, because that same morning he was preparing a list of things to focus on, including the security posture of SolarWinds — not realizing security would be at the very top of the list.

Ramakrishna, the former CEO of Pulse Secure, said his experience at the software company helped prepare him for the SolarWinds position. Pulse Secure's VPN products had been the target of malicious threat actors and Ramakrishna understood that companies need to always be prepared for the day when their products face the risk of cyber intrusion.

"We have to be prepared at all points in time but be humble enough to accept that security vulnerabilities and breaches can happen to anyone," he said, "notwithstanding what resources we have or how good and great we [think we] are."