SolarWinds Orion software has been in the news since Sunday. And it has been nothing but bad news since then. First off, the FireEye breach led to the discovery of the SolarWinds breach. The scary part is, had FireEye not discovered their own breach, SolarWinds may not have realized that they had been breached. The SolarWinds Orion product was hacked between March and June of this year, when hackers were able to insert malicious code into the update that went out to their many clients, including many clients in the US government.
How is it possible that hackers could get in and compromise the Orion update? According to security researcher Vinoth Kumar, he had notified SolarWinds in November 2019 that anyone could access its update server by using a simple password: "solarwinds123. As Newsweek says in it’s report: “Multiple government clients of SolarWinds—including the Department of Homeland Security, the Treasury Department and the Commerce Department—were reportedly compromised due to the cyberattack. It is not clear whether the password issue had any bearing on the successful cyberattack, but it demonstrates a potential failure on the part of the company to adequately safeguard its security. The hack is believed to have begun in the spring, several months after Kumar identified the password issue on the update server.”
If this isn’t serious enough, it is now also believed that some SolarWinds investors may also have benefited from insider trading. The Washington Post writes: “Silver Lake, a Silicon Valley investor with a history of high-profile tech deals including Airbnb, Dell and Twitter, sold $158 million in shares of SolarWinds on Dec. 7 — six days before news of the breach became public. Thoma Bravo, a San Francisco-based private equity firm, also sold $128 million of its shares in SolarWinds on Dec. 7.” It’s unclear if SolarWinds new of the breach this far ahead of time. FireEye notified SolarWinds and authorities on December 11th about the SolarWinds breach. The same Washington post article also mentions that these stock trades also occurred before the announcement of their new CEO: “The trades also occurred just before SolarWinds announced that its chief executive since 2010, Kevin Thompson, was resigning. The largest stock sales happened on Dec. 7, the same day Thompson resigned, but two days before the company’s announcement of its new CEO.”
You can bet there is going to be a long investigation over how this all happened, both from a National Security standpoint, as well as on the insider trading allegations. Many government agencies and businesses around the world have started the process of cleaning up and re-patching their systems. I don’t expect SolarWinds to come out of this unscathed.