Suspected Russian Cyberattack Began With Ubiquitous Software Firm

The hackers targeted software that is foundational to most businesses, but not usually in the spotlight and used principally by technical staff that keep computer networks and software up and running. “SolarWinds is in the plumbing,” said Stephen Elliot, a vice president with the industry research firm International Data Corp.

By building a back door into SolarWinds software, the hackers were able to compromise systems at the Department of Homeland Security, the Treasury and Commerce departments, national security agencies, defense contractors, and potentially hundreds of other entities.

This kind of indirect cyberattack—targeting suppliers as a way to break into their customers—has become an increasing concern to government and cybersecurity experts. While companies have beefed up their cyberprotections, most clients don’t closely scrutinize the software that their suppliers deliver.

“You’re inherently trusting the vendor to have done their own due diligence on the products they are selling you,” said Vincent Liu, chief executive of security consulting firm Bishop Fox. Very few companies, outside of some large financial services and high-technology firms, do a security assessment of the software they buy, he said.

Exploiting that avenue of attack isn’t new for Russian hackers. In 2017, the technique was used by hackers, also linked to Moscow, to disrupt companies world-wide after they broke into an obscure Ukrainian company called M.E. Docs and modified the tax software it distributed to customers so that it contained a destructive virus. The Russian government has denied it hacks America’s government or companies and its embassy in Washington denied responsibility for the SolarWinds attack.

In the latest incident, hackers appear to have gained a foothold in their victims’ networks by adding “back door” code to SolarWinds Orion software, according to an analysis of the event by Microsoft Corp. Once installed, this software connected to a server controlled by the hackers that allowed them to launch further attacks against the SolarWinds customer and to steal data. The vulnerable updates were delivered to customers between March and June, SolarWinds said.

“They could have just compromised SolarWinds, but they did more,” Mr. Liu said. “They turned that one compromise into who knows how many other compromises that we’re going to be learning about for weeks. We may never know the full impact,” he said.

A SolarWinds spokesman said the company is working with FireEye Inc., a major U.S.-based cybersecurity firm, and the intelligence community and law enforcement on an investigation.

The hackers were sophisticated and operated in a slow and deliberate fashion, using their foothold in victims’ networks to poke and prod computer systems and eventually to steal information, investigators say. FireEye, which was one of the victims of the incident, said last week the hackers stole a suite of hacking software that it employed to test the security of its customers.

The Cybersecurity and Infrastructure Security Agency issued an emergency alert Sunday night urging federal agencies to stop using the affected SolarWinds product.

Corporations typically have contracts with dozens of software suppliers, although the number can vary from industry to industry. In the banking industry, for example, the average number of direct software suppliers is 83; in IT services, it’s 55, according to the supply chain analysis company Interos Inc.

According to SolarWinds, as many as 18,000 customers could have downloaded the software containing the back door, although investigators expect the total number of victims to be much smaller. Security experts say even if customers turn off their SolarWinds software, they still may have weeks of work ahead of them to ensure that the hackers no longer have a foothold somewhere else in their network.

SolarWinds’ low profile has led to unwelcome surprises for some companies as they scrambled to determine whether they were running the software, said Sergio Caltagirone, vice president of threat intelligence with Dragos Inc., a computer security company. Mr. Caltagirone said he spent much of Monday asking his customers whether or not they used SolarWinds products. Most of them initially said no, only to realize upon further inspection that they were using the tools. “People are finding it everywhere,” he said.

SolarWinds, which has more than 3,200 employees, is one of dozens of small and large vendors selling software or services for network monitoring and management to governments and companies—a $11.5 billion global market, IDC’s Mr. Elliot said.

How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.

The incident became public as the 21-year-old company is going through leadership turmoil. Earlier this month—just four days before it disclosed the hack—SolarWinds said its chief executive, Kevin Thompson, would be leaving, effective January 4, to be replaced by Sudhakar Ramakrishna, formerly chief executive of the security company Pulse Secure LLC. Also this month, Joseph Kim, the company’s head of engineering, left to take a job at the software maker Citrix Systems Inc., according to his LinkedIn profile. In October, chief information officer Rani Johnson departed to work for another vendor, Tibco Software Inc. None of the executives responded to messages seeking comment.

SolarWinds generated $933 million in sales in 2019 and it has projected that it would surpass $1 billion in revenue this year. The Orion product accounts for about 45% of revenue, the company says. SolarWinds said it couldn’t predict the financial fallout from the incident. Shares in the company plunged almost 17% Monday.

Write to Robert McMillan at [email protected]