SolarWinds Hires Chris Krebs to Reboot Its CybersecurityHacked Firm Also Taps Former Facebook CSO as It Responds to Supply Chain Attack
Embattled software firm SolarWinds is following an increasingly common move for organizations that suffer a serious security failure or data breach: Call in experienced, high-profile crisis experts to advise and help rebuild.
See Also: Automating Security Operations
Texas-based SolarWinds has hired Chris Krebs - the former U.S. government cybersecurity czar who was fired by President Donald Trump after he stated that the 2020 election was the most secure in history - to serve as an independent consultant.
As the Financial Times first reported, Krebs now says that he and new business partner Alex Stamos, the former CSO of Facebook, will help SolarWinds with its crisis response.
Krebs formerly headed the U.S. Cybersecurity Infrastructure and Security Agency, or CISA, which together with the FBI has been leading the government's investigation into the SolarWinds supply chain attack.
"It's a good move - two well-respected individuals, well experienced, so hopefully they can help them identify and address any issues and improve their security," cybersecurity expert Brian Honan tells Information Security Media Group.
"Also, hopefully lessons learned from this will be shared with other vendors so that they can prevent similar attacks in the future," says Honan, who's CEO and principal consultant at Dublin-based BH Consulting.
Such a move has precedent. Stamos, who also serves as an adjunct professor at Stanford University, was one of the experts tapped by Zoom to guide an overhaul of its security and privacy practices.
Krebs and Stamos have now launched a cybersecurity consultancy, of which SolarWinds is the first customer, TechCrunch reports. The firm is called the Krebs Stamos Group.
After the hack attack against SolarWinds came to light last month, the company immediately brought in numerous experts to help with incident response. It also said it was rolling out CrowdStrike's Falcon Endpoint Protection Platform on every endpoint.
SolarWinds' new CEO, Sudhakar Ramakrishna, says that hiring Krebs and Stamos as consultants is part of the company's move to rethink its "security programs, policies, teams and culture."
Previously the CEO of Pulse Secure, Ramakrishna accepted an offer to helm SolarWinds before the attack came to light and joined the company this week.
"I commit to being transparent with our customers, our government partners and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us - your trust," Ramakrishna says in a blog post.
Ramakrishna is now in charge of helping to mitigate what appears to rank as one of the worst hack attacks in history. Beginning in March, SolarWinds' Orion network monitoring software began shipping with a built-in backdoor, known as "Sunburst," which could give attackers remote access to systems and the ability to run second-stage attacks. These might involve installing additional malware, stealing data, eavesdropping on systems and more.
For up to nine months, about 18,000 organizations ran versions of Orion with Sunburst installed.
Experts say a smaller number of those organizations - perhaps numbering in the hundreds - were targeted with second-stage attacks. They include FireEye, Microsoft and some U.S. government agencies, such as the Justice Department and branches of the Pentagon, as well as the Commerce, Homeland Security, State, Energy and Treasury departments.
Incident response experts have warned that it may take months - and Stamos has said it may be years - for affected organizations to fully recover from the hack attack. CISA has warned victims that among other steps, they "may need to rebuild all network assets" being monitored by the Orion software (see: CISA Warns SolarWinds Incident Response May Be Substantial).
SolarWinds says it's still investigating how the backdoor ended up in its code. But the company says it appears to have been added not to its source code repository, but rather as part of the software-build process. U.S. investigators have said they're probing the company's engineering operations in Eastern Europe to see if they may have been subverted by malicious insiders. Investigators are also reportedly examining if the hackers may have abused a development and integration tool used by SolarWinds called TeamCity, built by Czech software firm JetBrains.
SolarWinds has now been hit by multiple lawsuits over the breach. One lawsuit, seeking class-action status, was filed this week by a shareholder who alleges that the company misrepresented the security of its products.
Shares of SolarWinds, which trade on the New York Stock Exchange, were valued at $23.55 per share on Dec. 11, just before the supply-chain attack against it was discovered and publicly disclosed. By the end of trading on Thursday, the value of its stock had fallen to $14.68 per share - nearly a 40% decline.
Russian Espionage Operation
For weeks, experts with knowledge of the SolarWinds investigation have said that the attack appeared to have been an espionage campaign run by the SVR - Russia's foreign intelligence service. Belatedly, the Trump administration on Tuesday also said the attack was an apparent espionage operation "likely" perpetrated by a Russian advanced persistent threat group.
The attack came to light after Trump fired Krebs last November, meaning he has not been part of CISA's probe. The attack was discovered and disclosed on Dec. 13, 2019, by FireEye, which was one of its victims.
Krebs says the consensus in the intelligence community is that the attack traces directly to Moscow.
“This has been a multiyear effort by one of the very best, the most sophisticated intelligence operations in the world," Krebs tells the Financial Times. “It was just one small part of a much larger plan that’s highly sophisticated, so I would be expecting more companies that have been compromised; more techniques that we’re yet to find. … There’s so much more to be written, I think, in this chapter of Russian cyber intelligence operations.”