SolarWinds Hires Chris Krebs to Reboot Its Cybersecurity

3rd Party Risk Management , Critical Infrastructure Security , Cyberwarfare / Nation-State Attacks

Hacked Firm Also Taps Former Facebook CSO as It Responds to Supply Chain Attack

SolarWinds Hires Chris Krebs to Reboot Its Cybersecurity
Former CISA Director Christopher Krebs at the RSA 2020 conference in San Francisco. (Photo: Mathew J. Schwartz/ISMG)

Embattled software firm SolarWinds is following an increasingly common move for organizations that suffer a serious security failure or data breach: Call in experienced, high-profile crisis experts to advise and help rebuild.

See Also: The SASE Model: A New Approach to Security

Texas-based SolarWinds has hired Chris Krebs – the former U.S. government cybersecurity czar who was fired by President Donald Trump in a tweet, after Krebs stated that the 2020 election was the most secure one in history – to serve as an independent consultant.

As the Financial Times first reported, Krebs now says that he and new business partner Alex Stamos, the former CSO of Facebook, will help SolarWinds with its crisis response.

Krebs formerly headed the U.S. Cybersecurity Infrastructure and Security Agency, or CISA, which together with the FBI has been leading the government’s investigation into the SolarWinds supply-chain attack.

“It’s a good move – two well-respected individuals, well experienced, so hopefully they can help them identify and address any issues and improve their security,” cybersecurity expert Brian Honan tells Information Security Media Group.

“Also, hopefully lessons learned from this will be shared with other vendors so that they can prevent similar attacks in the future,” says Honan, who’s CEO and principal consultant at Dublin-based BH Consulting.

Such a move has precedent. Stamos, who also serves as an adjunct professor at Stanford University, was one of multiple experts tapped by Zoom, to guide an overhaul of its security and privacy practices.

After it was hacked, SolarWinds had already brought in numerous experts to help with incident response. It also said it was rolling out CrowdStrike’s Falcon Endpoint Protection Platform on every endpoint.

SolarWinds’ new CEO, Sudhakar Ramakrishna, says hiring the experts is part of the company’s move to rethink its “security programs, policies, teams and culture.”

“I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust,” Ramakrishna says in a blog post.

Previously the CEO of Pulse Secure, Ramakrishna accepted an offer to helm SolarWinds, before the attack came to light, and joined the company this week.

Sunburst Backdoor

Ramakrishna is now in charge of helping to mitigate what appears to rank as one of the worst hack attacks in history. Beginning in March, SolarWinds’ Orion network monitoring software began including a backdoor, known as “Sunburst,” which could give attackers remote access to systems and run a second-stage attack, which might involve additional malware, stealing data, eavesdropping on systems and more.

For up to nine months, about 18,000 organizations ran versions of Orion with Sunburst installed.

Experts say a smaller number of those organizations – perhaps numbering in the hundreds – were targeted with second-stage attacks. They include multiple U.S. government agencies, such as the Justice Department and branches of the Pentagon, as well as the Commerce, Homeland Security, State, Energy and Treasury departments.

Incident response experts have warned that it may take months – if not years – for affected organizations to fully recover from the hack attack. CISA, for example, has warned victims that among other steps, they “may need to rebuild all network assets” being monitored by the Orion software (see: CISA Warns SolarWinds Incident Response May Be Substantial).

SolarWinds says it’s still investigating how the backdoor ended up in its code, but says it appears to have been added not to its source code repository, but rather as part of the software-build process. U.S. investigators have said they’re probing the company’s engineering operations in Eastern Europe, to see if they may have been subverted by malicious insiders.

SolarWinds has now been hit by multiple lawsuits over the breach. One lawsuit, seeking class-action status, which was filed this week by a shareholder who alleges that the company misrepresented the security of its products.

Shares of SolarWinds trade on the New York Stock Exchange, and were valued at $23.55 per share on Dec. 11, just before the supply-chain attack against it was discovered and publicly disclosed. By the end of trading on Thursday, the value of its stock had fallen to $14.68 per share – nearly a 40% decline.

Russian Espionage Operation

For weeks, experts with knowledge of the SolarWinds investigation have said that the attack appeared to have been an espionage campaign run by the SVR – Russia’s foreign intelligence service. Belatedly, the Trump administration on Tuesday also said the attack was an apparent espionage operation “likely” perpetrated by a Russian advanced persistent threat group.

The attack came to light after Trump fired Krebs last November, meaning he has not been part of CISA’s probe. Specifically, the attack was discovered and first disclosed on Dec. 13, 2019, by FireEye, which was one of its victims.

Krebs says the consensus in the intelligence community is that the attack traces directly to Moscow.

“This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world,” Krebs tells FT. “It was just one small part of a much larger plan that’s highly sophisticated, so I would be expecting more companies that have been compromised; more techniques that we’re yet to find. … There’s so much more to be written, I think, in this chapter of Russian cyber intelligence operations.”