Dive Brief:
- U.S. officials are investigating the potential use of JetBrains, a Czech Republic-based software company specializing in development tools, as a conduit to compromise other technology companies in relation to the SolarWinds hack, The New York Times reported Wednesday.
- Officials are reportedly working to determine whether the company's continuous integration/continuous development tool, TeamCity, was used as a launchpad for adding backdoors in other companies' software, according to the report. SolarWinds is one of JetBrains' customers, which also include Google, P&G and Citibank, according to the JetBrains website.
- JetBrains denied the reporting, saying the company "has not taken part or been involved in this attack in any way," and SolarWinds did not contact JetBrains in light of the hack. The company said investigators have not contacted JetBrains, and is only aware of what information is already public.
Dive Insight:
When the SolarWinds hack came to light last month, it was viewed by industry experts as a gateway for a larger breach across its Orion customer base. In December, Microsoft found that while a large pool of Orion customers had evidence of initial malware, only a percentage had a followup payload executed. Microsoft last week confirmed the company's internal source code was viewed by malicious actors.
U.S. security agencies formally attributed the attack to "likely" Russian actors on Monday. "At this time, we believe this was, and continues to be, an intelligence gathering effort," officials said.
SolarWinds' breach was a months-long campaign, requiring significant time of "conscientious reconnoitering," said John McClurg, senior vice president and CISO of BlackBerry and former FBI branch chief, in an email.
"This means that attackers likely surveyed the software supply chain of each target company years in advance … this patience then extended to the timing of the intrusion," which granted the bad actors the ability to find other points of entry in vendors, said McClurg.
The Department of Justice, one of the federal agencies compromised in the cyberattack, found additional activity stemming from the SolarWinds hack involving access to the DOJ's Microsoft Office 365 email environment, according to a statement released Wednesday. The agency said about 3% of Office 365 inboxes were compromised.
In response, the DOJ "eliminated the identified method by which the actor was accessing the O365 email environment," according to the statement.
As further details from targeted organizations continue to unfold, security experts expect to identify more vendors involved in the breach.
With major technology companies investigating their involvements, including Microsoft and FireEye, supply chain security will be a primary focus for organizations this year. "SolarWinds is one of the victims in this situation. It could have been any of us," said Steve Torino, cyber risk assessor at CyberSaint.
"When the compromise comes through a backdoor in commonly used software or ubiquitous utilities and dependencies it can create an almost unpluggable hole downstream that could take years to fully remediate," said Torino.
StackShare data shows at least 250 companies use the TeamCity tool. And JetBrains acknowledged the possibility of a product compromise. "It's important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability," according to the company.
The SolarWinds cyberattack combines technology vendors, the private sector and government which will further complicate how security in the supply chain should be managed. "We have major world powers with very different visions of how the future should look," said Torino.
