This article is more than 1 year old
SolarWinds CEO describes overhauled Orion build system after that 'very small, unique' security breach
'This can happen to anybody. There's always learning in any crisis. And we were no exception'
CyberUK 21 SolarWinds’ chief exec has described the 18,000 customers who downloaded backdoored versions of its Orion software as a “very small” number while giving a speech to an infosec event.
Sudhakar Ramakrishna, who joined the biz in January, made the comparison while giving the opening keynote at the CyberUK conference, organised by Britain’s National Cyber Security Centre (NCSC). He'll also be giving a talk on the topic at this month's RSA Conference in the US, presumably part of an extended apology tour.
“Although the number of affected customers is very small, that we eventually discovered, it is still a very important thing to discover, because this is a unique and very novel attack on the supply chain of a company,” said Ramakrishna in his opening remarks – adding that “none of our source code control systems were tampered with.”
As regular readers know, SolarWinds is the maker of the Orion network infrastructure monitoring platform which was compromised last year. Russian spies broke into SolarWinds' build system and secretly injected backdoor code into Orion updates, which was subsequently distributed to installations worldwide. Putin's finest then followed up by using the compromised deployments to infiltrate computer networks in organizations and governments in the West, including those in the United States and United Kingdom.
- HashiCorp reveals exposure of private code-signing key after Codecov compromise
- Who knew Uncle Sam had strike teams for SolarWinds, Exchange flaws? Well, anyway, they are disbanded
- It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US
- Mimecast bins SolarWinds and compromised servers alike in wake of supply chain hack
- SolarWinds just keeps getting worse: New strain of backdoor malware found in probe
SolarWinds’ chief exec had been invited to set the tone for the two-day conference, which is being held as a series of YouTube lectures this year. The “very small” number of 18,000 affected customers was disclosed in a company filing with the US Stock Exchange Commission, as previously reported.
Of more interest to technically minded readers was the revelation that SolarWinds has rearchitected its build processes, now having “three different environments” running in parallel with their outputs being cross-matched against each other to ensure there are no unexpected differences before being integrated into the final product. Ramakrishna beamed:
“We hope to achieve a level of non-repudiation, as opposed to simple integrity that is provided by the code signing certificate technology that the entire industry adopts.”
Previously SolarWinds had a traditional single-track build process, the output of which was digitally signed using a cryptographic certificate. The cert in use at the time of the Russian compromise has been rotated out, and the top boss insisted his team had learned from that aspect of the intrusion.
As for wider lessons to be learnt from the catastrophe, SolarWinds’ CEO was philosophical: “The most significant thing here is not to behave like a victim, so to speak, and accept that this can happen to anybody. There's always learning in any crisis. And we were no exception in this particular one as well.”
Britannia will rule the cyber-waves
GCHQ director Jeremy Fleming, who oversees the surveillance agency's NCSC offshoot, also spoke today, calling on the UK to adopt a “whole-nation approach if we are to continue to reap the benefits of technology.”
“There is no doubt that we are facing a moment of reckoning,” said Fleming, ominously. “But it’s clear that to face up to this moment of reckoning, we need to protect and build our strategic technology advantage. By that, I mean using science and tech to help defend against threats. To amplify our values. And as a consequence, make Britain stronger and more prosperous.”
He linked this to March’s publication by UK.gov of its Integrated Review of defence policy. That promised to put all things cyber at the heart of British policy for the Twenties, along with some implausible nonsense about nuking cyber attackers.
Tomorrow CyberUK will hear from Foreign Secretary Dominic Raab, whose speech is billed as setting out what the government understands by the term “responsible cyber power.” ®