2020-12-14 SolarWinds Corp Cybersecurity Incident

Page last updated on April 11, 2024

SolarWinds Corp initially disclosed a cybersecurity incident in an SEC 8-K filing on 2020-12-14 09:57:24 EST.

Incident Details

Material: Unknown
Is Breach: Unknown
Records Compromised: Unknown
Data Types Impacted: No Data Types Tracked (yet)

Compromised Date:
Detected Date: 2020-12-12
Disclosure Date: 2020-12-14
Contained Date:
Recovered Date:

Attack Goal: Unknown

Costs: No Costs Tracked (yet)

Filings

8-K filed on 2020-12-14

SolarWinds Corp filed an 8-K at 2020-12-14 09:57:24 EST
Accession Number: 0001628280-20-017451

Item 8.01 Other Events.

SolarWinds Corporation (“SolarWinds” or the “Company”) has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run. SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state, but SolarWinds has not independently verified the identity of the attacker. SolarWinds has retained third-party cybersecurity experts to assist in an investigation of these matters, including whether a vulnerability in the Orion monitoring products was exploited as a point of any infiltration of any customer systems, and in the development of appropriate mitigation and remediation plans. SolarWinds is cooperating with the Federal Bureau of Investigation, the U.S. intelligence community, and other government agencies in investigations related to this incident.

Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the “Relevant Period”), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products. SolarWinds has taken steps to remediate the compromise of the Orion software build system and is investigating what additional steps, if any, should be taken. SolarWinds is not currently aware that this vulnerability exists in any of its other products.

SolarWinds currently believes that:


8-K filed on 2020-12-17

SolarWinds Corp filed an 8-K at 2020-12-17 16:05:44 EST
Accession Number: 0001628280-20-017620

Item 7.01 Regulation FD Disclosure.

On December 14, 2020, SolarWinds Corporation (“SolarWinds” or the “Company”) filed a Current Report on Form 8-K disclosing that it had been made aware of a potential security incident with respect to its Orion monitoring products. On December 17, 2020, SolarWinds provided the following update on the security incident on its Orange Matter corporate blog, accessible at: https://orangematter.solarwinds.com:

On Saturday, December 12, our CEO was advised by an executive at FireEye of a security vulnerability in our Orion Software Platform which was the result of a very sophisticated cyberattack on SolarWinds. We soon discovered that we had been the victim of a malicious cyberattack that impacted our Orion Platform products as well as our internal systems. While security professionals and other experts have attributed the attack to an outside nation-state, we have not independently verified the identity of the attacker.

Immediately after this call, we mobilized our incident response team and quickly shifted significant internal resources to investigate and remediate the vulnerability. Know that each of our 3,200 team members is united in our efforts to meet this challenge. We remain focused on addressing the needs of our customers, our partners and the broader technology industry.

To accomplish that, we swiftly released hotfix updates to impacted customers that we believe will close the code vulnerability when implemented. These updates were made available to all customers we believe to have been impacted, regardless of their current maintenance status. We have reached out and spoken to thousands of customers and partners in the past few days, and we will continue to be in constant communication with our customers and partners to provide timely information, answer questions and assist with upgrades.

We are solely focused on our customers and the industry we serve. Our top priority has been to take all steps necessary to ensure that our and our customers’ environments are secure. We are taking extraordinary measures to accomplish this goal. We shared all of our proprietary code libraries that we believed to have been affected by SUNBURST to give security professionals the information they needed to do their research. We also have had numerous conversations with security professionals to further assist them in their research. We were very pleased and proud to hear that colleagues in the industry discovered a “killswitch” that will prevent the malicious code from being used to create a compromise.

Here are a few important things to know:


8-K filed on 2021-01-11

SolarWinds Corp filed an 8-K at 2021-01-11 17:40:15 EST
Accession Number: 0001739942-21-000015

Item 7.01 Regulation FD Disclosure.

On January 11, 2021, SolarWinds Corporation ("SolarWinds" or the “Company”) provided the following update on the recent security incident with respect to its Orion monitoring products on its Orange Matter blog, accessible at https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst:

New Findings from our Investigation of SUNBURST

Since the cyberattack on our customers and SolarWinds, we have been working around the clock to support our customers. As we shared in our recent update, we are partnering with multiple industry-leading cybersecurity experts to strengthen our systems, further enhance our product development processes and adapt the ways that we deliver powerful, affordable AND secure solutions to our customers.

We are working with our counsel, DLA Piper, CrowdStrike, KPMG and other industry experts to perform our root cause analysis of the attack. As part of that analysis, we are examining how the SUNBURST malicious code was inserted into our Orion Software Platform and once inserted, how the code operated and remained undetected.

Today we are providing an update on the investigation thus far and an important development that we believe brings us closer to understanding how this serious attack was carried out. We believe we have found a highly sophisticated and novel malicious code injection source that the perpetrators used to insert the Sunburst malicious code into builds of our Orion Software Platform.

We recognize that the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future and create safer environments for customers.

The security of our customers and our commitment to transparency continue to guide our work in these areas and going forward.

Highly sophisticated and complex malware designed to circumvent threat detection

As we and industry experts have noted previously, the SUNBURST attack appears to be one of the most complex and sophisticated cyberattacks in history. The US government and many private-sector experts have stated the belief that a foreign nation-state conducted this intrusive operation as part of a widespread attack against America’s cyber infrastructure. To date, our investigations have not independently verified the identity of the perpetrators.

Analysis suggests that by managing the intrusion through multiple servers based in the United States and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies and the federal government. The SUNBURST malicious code itself appears to have been designed to provide the perpetrators a way to enter a customer’s IT environment. If exploited, the perpetrators then had to avoid firewalls and other security controls within the customer’s environment.

KPMG and CrowdStrike, working together with the SolarWinds team, have been able to locate the malicious code injection source. We have reverse-engineered the code responsible for the attack, enabling us to learn more about the tool that was developed and deployed into the build environment.

This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion platform without arousing the suspicion of our software development and build teams. We encourage everyone to visit this blog post, authored by the CrowdStrike team, which provides additional details into these findings and other technical aspects of this attack and contains valuable information intended to help the industry better understand attacks of this nature.

As we discussed in our previous post, we hope that this event ushers in a new level of collaboration and information sharing within the technology industry to address and prevent similar attacks in the future. Our concern is that right now similar processes may exist in software development environments at other companies throughout the world. The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insight, knowledge and resources of all constituents.

We want to be a part of that solution, which is why we are sharing this information with the broader community, and we will continue to share progress as we assimilate this information into our go forward practices.


8-K filed on 2021-05-07

SolarWinds Corp filed an 8-K at 2021-05-07 16:53:21 EDT
Accession Number: 0001739942-21-000076

Item 7.01 Regulation FD Disclosure.

On May 7, 2021, SolarWinds Corporation ("SolarWinds" or the “Company”) provided the following update on the cyberattack announced in December 2020, or the Cyber Incident, on its Orange Matter blog, accessible at https://orangematter.solarwinds.com/2021/05/07/an-investigative-update-of-the-cyberattack:

An Investigative Update of the Cyberattack

The recent cyberattacks against SolarWinds, other widely used technology providers, and our respective customers are examples of the ongoing challenges facing the software industry as a whole. It’s clear that nation-state actors are actively working to compromise and disrupt the technology supply chains and infrastructure on which we all rely.

Throughout this experience, we’ve emphasized transparency, collaboration with our public and private partners, and knowledge-sharing from our investigations as information is gathered and verified. Over the past five months, we’ve devoted extensive resources to investigating this cyber attack and working with experts to sift through terabytes of data. We’ve been determined to uncover the tools, tactics, and motives of the nation-state threat actor to better protect SolarWinds, our customers, and others in the future.

We’re close to completing these extensive investigative efforts with assistance from our third-party experts and would like to provide another update on what we’ve learned to supplement our prior posts.

Our Awareness of Impact to Customers

We also want to take a moment to discuss our understanding about the impact of this attack on our customers. Our attitude will continue to be: one customer impacted is one customer too many.

We’ve worked tirelessly to support our customers and to contain, eradicate, and remediate the cyber incident. We quickly published information about the attack and notified our customers. We also released remediations to the affected versions of the Orion Platform software and engaged in extensive outreach and support to our customers. We also made available third-party support at our expense to help customers upgrade their Orion Platform software.

Through our numerous blog posts, webinars, TechPod podcasts, interviews, and other public statements, we’ve provided to our customers, and to the industry more broadly, substantial information about the cyber incident and our learnings and adaptation from it to help them better understand the attack and protect themselves.

Based on our investigations and conversations with our customers, we believe the number of customers targeted and impacted by the SUNBURST malicious code is significantly fewer than the number of potentially vulnerable customers. At the earliest stages of our investigation, we reported up to 18,000 customers could potentially have been vulnerable to SUNBURST, based on our records of the total number of customer downloads of the specific, impacted versions of our Orion Platform products. Unfortunately, we’ve seen this number used mistakenly in media reports as the number of customers that the threat actor actually hacked through SUNBURST.

We now estimate that the actual number of customers who were hacked through SUNBURST to be fewer than 100. It’s important to note that this group of up to 18,000 downloads includes two significant groups that could not have been affected by SUNBURST due to the inability of the malicious code to contact the threat actor command-and-control server: (1) those customers who did not install the downloaded version and (2) those customers who did install the affected version, but only did so on a server without access to the internet. Among a third group of customers, those whose affected servers accessed the internet, we believe, based on sample DNS data, only a very small proportion saw any activity with the command-and-control server deployed by the threat actor. This statistical analysis of the same DNS data leads to our belief that fewer than 100 customers had servers that communicated with the threat actor. This information is consistent with estimates provided by U.S. government entities and other researchers, and consistent with the presumption the attack was highly targeted.

Orion Platform Supply-Chain Attack

Most of our early investigative efforts focused on the compromise of our Orion Platform software products and understanding the nature of the attack. It became clear early on the threat actor employed novel and sophisticated techniques indicative of a nation-state actor and consistent with the goal of cyber espionage via a supply-chain attack. In addition, the operational security of the threat actor was so advanced, they not only attacked SolarWinds but were able to leverage the SUNBURST malicious code and avoid detection in some of the most complex environments in the world.

During the course of our investigations, we discovered the following:







Shared IT Environment Activities

We narrowed it down to three most likely candidates for initial entry, but we don’t limit the methods to these three. This excludes the possibility the initial access was through a known, unpatched vulnerability:







While we don’t know precisely when or how the threat actor first gained access to our environment, our investigations have uncovered evidence that the threat actor compromised credentials and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems, including our Microsoft Office 365 environment, for at least nine months prior to initiating the test run in October 2019. Based on our learnings, while unfortunate, it’s not uncommon for threat actors to be in target environments for several months to years. This further reinforces the need for transparency and collaboration, so we can all benefit from one another’s shared experiences and knowledge.

We’ve also found evidence that causes us to believe the threat actor exfiltrated certain information as part of its research and surveillance. This evidence includes the following:









Our Remediation Activities

Together with our partners KPMG and CrowdStrike, in conjunction with government agencies, we’ve undertaken extensive measures to investigate, contain, eradicate, and remediate the cyber incident. CrowdStrike performed a macro-level analysis of the SolarWinds environment and deployed their Falcon technology and other threat-hunting tools, providing ongoing monitoring for suspicious activity. The KPMG forensics team performed micro-level analysis, conducting deep inspections of our build environments, as well as additional forensics and analysis. This analysis included inspection of various artifacts, including historical firewall logs, access control logs, and SIEM events. At this time, we’ve substantially completed this process and believe the threat actor is no longer active in our environments.

Our Future: Secure by Design

Armed with what we’ve learned about this attack, we’re focused on becoming an industry leader in protecting our software development from cyberintrusions. We’re working with industry experts to implement enhanced security practices designed to further strengthen and protect our products and environment against these and other types of attacks in the future. To that end, we’re further securing our environment and systems by:











Additionally, we’re adopting zero trust and least privilege access mechanisms by:







Further, we’re addressing the possible risks associated with third-party applications access by:









Additionally, we have made significant progress in redesigning our automated build process to help ensure the security and integrity of the code our products and that no insertions or alterations have occurred during the build process as occurred happened with SUNSPOT and SUNBURST. The below illustration illustrates highlights how this new build process works:

SolarWinds Post-Build Verification



In addition to these protective steps, we’re conducting our software builds in three separate environments, using changing build systems, and with separate user credentials. We check the integrity of the builds across these environments to identify and address any compromises. In this way, we are changing and shifting the threat surface, thereby forcing a threat actor to replicate an attack across multiple heterogeneous environments with no overlapping privileges to be successful.

We use a standard Secure Development lifecycle approach. That includes requirements analysis, secure development, security testing, release and respond. As part of the process Checkmarx is utilized for static code analysis, Whitesource is utilized for Open-Source discovery/analysis, and internal PEN testing utilizing Burpsuite prior to a final security review.



In addition to the build pipeline, business critical assets are identified, tracked, and reviewed on a regular basis. Security controls are defined for each asset.

We hope sharing of our learnings about this attack serves our customers - as well as the broader IT industry - given the common development practices in the industry and our belief that transparency and cooperation are our industry’s best tools to help prevent and protect against future attacks. We also believe it illustrates the lengths to which outside nation-states will go to achieve their malicious goals and the need for the industry and public sector to work together to protect critical systems and infrastructure. We see an opportunity to help lead an industry-wide effort we believe will position SolarWinds as a model for secure software environments, development processes, and products.

We see these as initiatives and investments as being consistent with our goal of being a best-in-class provider of powerful, affordable, and secure solutions.


8-K filed on 2023-10-30

SolarWinds Corp filed an 8-K at 2023-10-30 16:33:07 EDT
Accession Number: 0001739942-23-000109

Item 7.01 Regulation FD Disclosure.

On October 30, 2023, SolarWinds Corporation (“SolarWinds” or the “Company”) provided the following update regarding the previously disclosed investigation by the Securities and Exchange Commission of the cyberattack on the Company’s Orion Software Platform and internal systems on its Orange Matter blog, accessible at https://orangematter.solarwinds.com/2023/10/30/transparency-information-sharing-and-collaboration. The Company may from time to time provide additional updates related to this matter on its Orange Matter blog.

Transparency, Information-Sharing, and Collaboration Make the Software Industry More Secure. We Must Not Risk Our Progress.

Soon after the highly sophisticated Russian cyberattack on SolarWinds and other technology companies was discovered in December 2020, the U.S. government and the security community determined it was carried out by persistent Russian threat actors. SUNBURST used novel techniques the world’s best cybersecurity experts had never seen before.

Since SUNBURST, there have been several reports of successful, highly resourceful, and capable technology companies-and even federal agencies-falling victim to nation-state cyberattacks, further illustrating that no one is immune to the new, advanced threats that have unfortunately become commonplace. As we practice and advocate, a community vigil is the only way to improve our collective security. It is imperative for victims of cyberattacks to come forward and share their experiences for the benefit of the broader community-and it is imperative these victims not be further victimized.

When I joined SolarWinds just days after the company learned of SUNBURST, my immediate focus was supporting our customers as we quickly contained, remediated, and eradicated the issue-while helping our customers ensure their environments were secure. We shared information about the incident as it was confirmed. The transparency of our response and our ongoing commitment to public-private partnerships has been widely praised in the global IT and security communities. We defined and implemented our Secure by Design initiative and have been commended broadly for advancing cybersecurity.

How we responded to SUNBURST is exactly what the U.S. government seeks to encourage. So, it is alarming that the Securities and Exchange Commission (SEC) has now filed what we believe is a misguided and improper enforcement action against us, representing a regressive set of views and actions inconsistent with the progress the industry needs to make and the government encourages.

The truth of the matter is that SolarWinds maintained appropriate cybersecurity controls prior to SUNBURST and has led the way ever since in continuously improving enterprise software security based on evolving industry standards and increasingly advanced cybersecurity threats. For these reasons, we will vigorously oppose this action by the SEC.

Our commitment to transparent communication has extended beyond customers to the entire industry and our government partners. We made a deliberate choice to speak-candidly and frequently-with the goal of sharing what we learned to help others become more secure. We partnered closely with the government and encouraged other companies to be more open about security by sharing information and best practices. We have advocated strongly for robust public-private partnerships to prevent future nation-state attacks. As a result of our efforts, the industry has made considerable progress in this regard since SUNBURST. Fierce business competitors now understand the need to be cooperative partners focused on defending our nation’s cyberinfrastructure against new and constantly changing attacks.

The SEC’s charges now risk the open information-sharing across the industry that cybersecurity experts agree is needed for our collective security. They also risk disenfranchising earnest cybersecurity professionals across the country, taking these cyber warriors off the front lines. I worry these actions will stunt the growth of public-private partnerships and broader information-sharing, making us all even more vulnerable to security attacks.

The actions we have taken over the last two and half years motivate us to stay the course and to push back against any efforts that will make our customers and our industry less secure. We will continue to move forward guided by our fundamental principles of transparency, urgency, collaboration, communication, and humility.




ADDITIONAL RESOURCES

SUNBURST investigation updates:


Company Information

NameSolarWinds Corp
CIK0001739942
SIC DescriptionServices-Prepackaged Software
TickerSWI - NYSE
Website
CategoryAccelerated filer
Fiscal Year EndDecember 30