Earlier this week, few people were aware of SolarWinds, a Texas-based software company that provides vital computer network monitoring services to corporations and government agencies around the world.
But the revelation that elite cyberspies have spent months secretly exploiting SolarWinds software computer networking has put many of its highest-profile customers on high alert in national governments and Fortune 500 companies. And it raises questions about how long the company’s internal experts knew about its vulnerabilities in security, as its largest investors sold shares.
Founded in 1999 by two brothers in Tulsa, Oklahoma, in the face of the dreaded Y2K computer error at the turn of the millennium, the company’s website says its first product “came on the scene to help IT professionals suppressing fears that end the world “.
This time, their products are the ones that instill fears. On Sunday, the company began alerting about 33,000 of its customers that a “foreign nation state,” suspected of being Russia, had found the back door to some updated versions of its flagship product, Orion. The ubiquitous software tool, which helps organizations monitor the performance of their networks and computer servers, had become an instrument for spies to steal undetected information.
“They are not a family name in the same way that Microsoft is. This is because their software is in the back office, “said Rob Oliver, a Baird research analyst who has followed the company for years.” Workers could have spent their entire careers without hearing about SolarWinds. “But I guarantee your IT department will know.”
Now there are also a lot of people who know about it. One of SolarWinds ’clients, California’s leading cybersecurity company, FireEye, was the first to discover the cyberespionage operation. FireEye revealed earlier this month that its own systems were breached by attackers who came out with their defensive hacking tools. Other espionage targets revealed included the U.S. Treasury and Commerce departments.
The Department of Homeland Security’s cybersecurity unit this week directed all federal agencies to remove the compromised software and thousands of companies were expected to do the same.
Among the business sectors struggling to protect their systems and assess possible information thefts were the power industry, defense contractors and telecommunications companies.
The gap has caused a crisis in SolarWinds, which is now on the outskirts of the mountains of Austin, Texas. The committed product accounts for nearly half of the company’s annual revenue, which amounted to $ 753.9 million during the first nine months of this year. Its shares have fallen 23% since the beginning of the week.
Moody’s Investors Service said Wednesday it was looking to downgrade its rating for the company, citing the “potential for reputation damage, material loss of customers, a slowdown in business performance and high legal repair and costs.”
SolarWinds CEO Kevin Thompson had indicated months before he would leave later this year as the company explored the departure of one of its divisions. SolarWinds board appointed his replacement, current PulseSecure CEO Sudhakar Ramakrishna, on December 7, according to a financial file, a day before FireEye publicly revealed the hack on its own system and two days before that the change of CEO be announced.
It was also on December 7 that the company’s two largest investors, Silver Lake and Thoma Bravo, which controls a majority stake in the listed company, sold more than $ 280 million in shares to a fund of Canadian public pensions. The two privately held companies said in a joint statement that they were “unaware of this potential cyberattack” at the time they sold the shares. It was six days later when SolarWinds revealed the breach.
The hacking operation began at least as early as March, when SolarWinds customers who installed updates to their Orion software unknowingly received a hidden malicious code that could give intruders the same view of their network. corporate than internal IT teams. FireEye described the dizzying capabilities of malware: from sleeping initially for up to two weeks, to hiding from view masking its reconnaissance raids as Orion’s activity.
FireEye said Wednesday it had identified a “killswitch” that prevents malware used by hackers from working. But while it disables the original backdoor, it won’t eliminate intruders from the systems where they created different ways to remotely access victimized networks.
SolarWinds executives rejected the interviews through a spokesman, who cited an ongoing investigation into the piracy operation involving the FBI and other agencies.
“This is an unimaginable and unfortunate situation,” Oliver said. “SolarWinds products have always been reliable. Its value proposition has been around reliability. ”
Thompson’s last few weeks at the helm are likely to be spent responding to frightened customers, some of whom are also concerned about marketing tactics that could have become a target for SolarWinds and its higher-profile customers.
The company earlier this week withdrew a website that featured dozens of well-known customers, from the White House, Pentagon and Secret Service to the McDonald’s restaurant chain and the Smithsonian Museums.
The Associated Press is among hundreds of thousands of SolarWinds customers, though the news agency said it did not use the compromised Orion products. SolarWinds estimated in a financial presentation that about 18,000 customers had installed the compromised software, meaning many of them were vulnerable to espionage operations at some point this year.
FireEye, without naming any specific targets, said it has confirmed infections in North America, Europe, Asia and the Middle East, including the health and oil and gas industries, and has affected affected customers around the world.
___
AP Technology writer Frank Bajak in Boston contributed to this report.