SolarWinds Hack: More Surprises, Plus Why Heads Didn’t Roll

RSA CONFERENCE — The group that carried out the giant SolarWinds hack were already inside the company’s environment in January 2019. That’s much earlier than previously reported.

That’s according to Sudhakar Ramakrishna, SolarWinds’ president and CEO. He talked about the origins and impact of the SolarWinds hack in a keynote Wednesday at the RSA Conference.

It was originally reported that the SolarWinds hack dated back to December 2019. The attack became public in mid-December 2020.

SolarWinds’ Sudhakar Ramakrishna

Ramakrishna said the attackers’ trade craft was “extremely well done and extremely sophisticated.”

And they did “everything possible to hide in plain sight,” he said.

“We were looking for all the usual clues,” Ramakrishna said. “When you go through an investigation, you have a checklist, a set of hypotheses and you try to map things. And in this case, given the amount of time they spent and given the delicateness that they had in their efforts, they were able to cover their fingerprints and their tracks every step of the way.”

Early Reconnaissance

SolarWinds assessed hundreds of terabytes of data and thousands of virtual build systems across its environment, Ramakrishna said.

“They were doing very early reconnaissance activities in January 2019,” he said. “That explains what they were able to do in September-October of 2019.”

SolarWinds began notifying its customers about the breach in mid-December 2020. Early on, the company reported up to 18,000 customers could have been vulnerable to the malicious code used by the attackers; it now says fewer than 100 SolarWinds customers were hacked.

“The most important questions that customers had at that point were, ‘What does it mean to me? And what do you want us to do?” Ramakrishna said. “The team rallied all around and did the very best to touch every single customer possible.”

SolarWinds Hack Prompts More Work with Partners

Nearly six months after the attack was first reported, SolarWinds continues to help its customers deal with the impact, Ramakrishna said.

“A lot of our software runs on premises as well, so it is not instantaneous that everybody updates at the same point in time,” he said. “So it is one customer at a time, essentially one day at a time. And in some cases I’ve told my team, one step at a time. What started off as a reactive measure, we started learning about the incident. We started addressing issues. And one of the foundations of what we’re trying to do is transparency as we enhance the trust that we have with our customers.”

In the aftermath, SolarWinds has worked with its worldwide partners and created the Orion Assistance Program, Ramakrishna said.

“We recognize that not all of our customers may have the internal resources to upgrade or rebuild, or project into the future,” he said. “So what we decided to do is work with our partners and extend support to our customers to essentially provide a pair of hands, in some cases, and technology commitments in other cases. And in many cases work side by side with them as they completed their upgrades. We did this at our cost. We felt it was our responsibility to help the customers get to a safe and stable environment.”

In hindsight, Ramakrishna said the company’s media response should have been stronger.

Scroll through our slideshow above for more of Ramakrishna’s comments – including why he didn’t fire anyone over the incident – and more news from the RSA conference.