JetBrains' build automation software eyed as possible enabler of SolarWinds hack

The SolarWinds security breach disclosed last month, which US authorities believe was of Russian origin and led to the compromise of at least 18,000 organizations, may have been enabled in part by software from JetBrains.

The company, founded by Russian software developers and based in the Czech Republic, makes software development tools. One of these, build management and continuous integration system TeamCity, is used by SolarWinds as part of its application build process.

The New York Times on Wednesday reported that unidentified sources familiar with the SolarWinds investigation say investigators are looking into whether JetBrains' software was involved. Separately, Reuters said the FBI is scrutinizing TeamCity to see whether the software played a role in the compromise of the SolarWinds build system.

These reports have not suggested JetBrains personnel played a willing role in the compromise. Rather, investigators appear to be concerned that a poorly secured, improperly configured, or vulnerable TeamCity instance may have helped the attackers plant their malicious code somewhere in the software supply chain. TeamCity, like other software, is regularly patched for vulnerabilities.

In a statement on Wednesday, JetBrains CEO Maxim Shafirov emphasized that JetBrains has not been accused of any wrongdoing.

"First and foremost, JetBrains has not taken part or been involved in this attack in any way," he said. "SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software. SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available."

Shafirov said JetBrains has not been contacted by any government or security agency, and said while the company is unaware of any investigation, it stands ready to cooperate if approached.

Who's responsible?

In an email to The Register, Johannes Ullrich, Dean of Research for SANS Technology Institute, argued that JetBrains itself was not responsible for what happened.

“JetBrains was not affected by the SolarWinds breach or used to breach SolarWinds as far as I can tell,” said Ullrich.

“There are some implications that a development tool JetBrain makes was used to breach Solarwinds, but JetBrains stated that if the tool was involved, it was likely a misconfiguration of the tool and not a problem with JetBrains being compromised. JetBrains makes very popular development tools. A breach of JetBrains would be yet another huge supply chain type attack.”

Absent any evidence of collusion between the company and the attackers, the focus should remain on whether SolarWinds was diligent in its security practices, not all of which have been stellar.

SolarWinds last month acknowledged that the security breach involved two separate attacks: Supernova, which involved a malicious library targeting the SolarWind Orion Platform build system and a vulnerability that allows the malware to be deployed; and Sunburst, a supply chain attack that involved the insertion of a vulnerability into builds of SolarWinds' Orion Platform software.

Separately on Wednesday, the US Department of Justice said that its Microsoft Office 365 email system had been compromised as a result of the SolarWinds attack. In a statement, DoJ spokesman Marc Raimondi said, "At this point, the number of potentially accessed O365 mailboxes appears limited to around three per cent and we have no indication that any classified systems were impacted."

Raimondi said the DoJ's CIO learned of the email compromise on December 24, 2020, and is treating the compromise as a major incident under the Federal Information Security Modernization Act. Further reports to federal agencies, Congress, and the public may follow as required. ®