SolarWinds Orion Hack Explained – Are CISOs Now on the Hook?

Solar Winds Hack

The SolarWinds Orion hack reportedly launched by Russian espionage hacker group Dark Halo was the most wide-ranging attack in the history of cybersecurity. Among the targets were a series of U.S. government departments. The fallout included not only the expected outrage across the nation, but an alarming development placing the blame jointly on the shoulders of the software vendor’s chief information security officer (CISO) as well as the company.

In this blog post, we examine the technical details and remediation by SolarWinds; the aftermath, including the U.S. Securities and Exchange Commission (SEC) charges; and whether CISOs are now on the hook for similar attacks. All information is based on various news reports, videos explaining the breach, and quotes collected at the time.

What Is the SolarWinds Scandal?

IT administrators use software from the company SolarWinds to help them monitor server performance, analyze network traffic, configure settings, and implement security patches. The Orion software platform was one of the company’s products.

Let’s first look at some of the high-level details:

  • Volexity was investigating a breach in 2019 at a U.S. think tank. They discovered two groups of unauthorized hackers in the network, including one named “Dark Halo.” These hackers were copying the content of emails to an external server, gaining information from executives and others with extensive access permissions.
  • At the same time, with help from Microsoft and cybersecurity threat assessment firm Mandiant, a U.S. Department of Justice team had detected suspicious traffic going from one of their servers to the internet in 2020.
  • Ultimately, it transpired that—in addition to more federal agencies—tech companies and even some security companies were victims of the unauthorized hack, including two of those involved in these investigations—Microsoft and Mandiant! The hackers had used stealthy “living-off-the-land” methods. This avoids introducing new tools or tactics into the network, instead relying on what they found to circumvent the usual prevention or detection measures. The Mandiant CEO thought the almost-undetectable nature of this hack was similar to Russian tactics he’d encountered early in his career!

SolarWinds Orion Hack Remediation

SolarWinds discovered 71 of its email accounts had also been compromised, but its security team was still in the dark about the source code of the hack.

  • They assigned Crowdstrike, another cybersecurity company, to continue efforts to find it.
  • Meanwhile, the SolarWinds CISO, Tim Brown, and his team decided to adopt a different method of compiling code in Orion—one that allowed them to crawl all the finished code in every one of their products for anything foreign.
  • SolarWinds also hired KPMG’s forensics division to lead a separate investigation. Ultimately, they discovered a malicious file called “Sunspot” that opened the key to what had happened, including all related activities since February 2020. It was this file that provided the back door into the Orion code, giving hackers access to all the affected federal agencies and high-profile companies.

The Media Aftermath and Responses

In December 2020, the media reported a hack that affected both Mandiant and the U.S. Treasury Department. They also reported that the U.S. Commerce Department was affected as well, and named the SolarWinds software as the source of the breach.

  • After the report was published, SolarWinds issued an Update on Security Vulnerability, stating that its Orion software had been compromised, and emailed a temporary fix to customers.
  • Mandiant and Microsoft also announced information on the back door and the activities of the hackers in their networks on the same evening.
  • Subsequent SolarWinds reports suggested that, while an eye-watering number of networks were affected, deep penetration occurred in only around 100.

Disappointment Within the InfoSec Community

Prescient security experts and CyberSec industry bodies had been banging the drum for security frameworks, policies, procedures, and compliance legislation for decades.

The hack revealed more of the dismal truth:

  • Many federal agencies lacked basic, but requisite, network logs that would have alerted them sooner to intrusion attempts
  • Many customers had ignored SolarWinds’ advice to use a dedicated server for SolarWinds updates (including Mandiant and Microsoft)
  • Some government servers were not protected by firewalls
  • They also found that other servers lacked even basic network logs

Questions About the SolarWinds Orion Hack

Solarwinds hack explainedThe issue that raised the ire of users and those in the InfoSec community at large is that the SolarWinds CISO and other employees seemed to be saying one thing within their organization and quite another externally.

  • Reports circulated about internal team members’ years-old attempts to sound the alarm on potential security flaws in the SolarWinds software.
  • And, in what might seem like a cynical move at best, two of its investors that together held 75% of SolarWinds shares and six seats on its board had sold $315 million in stock a mere six days prior to initial media reports of the hack.

Questions About Mandiant’s Vague Disclosures

Mandiant announced the SolarWinds hack, but with vague details on how the back door was discovered, how the hackers gained entry, when the breach had first been detected, and how long they were able to remain on the company’s network. The announcement made it sound like the breach was a single event with no relation to anyone else. They also neglected to disclose that they, too, were among the targets of the hack.

U.S. Government Response

The breaches within the U.S. government ultimately affected at least eight federal agencies, including the U.S. Treasury and Commerce Department. Naturally, SolarWinds was deluged by panicked customers, U.S. government agencies, and even calls from foreign governments concerned about breaches in key utilities services and power stations.

  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent directive to federal agencies, asking them to remove their SolarWinds servers from the internet and not download any patches until further instructed.
  • The National Security Agency (NSA) and the Federal Bureau of Investigations (FBI) held a series of conference calls, during which staff established that the Department of Justice was hacked early in 2020. Deprioritized at the time, it was now clear that this breach (which had been investigated by Mandiant) was more significant. And, they discovered that Mandiant had downloaded a corrupted version of the SolarWinds software during the course of its investigations.
  • In 2021, U.S. President Biden established a Cyber Safety Review Board as part of his Executive Order on Improving the Nation’s Cybersecurity to assess future cybersecurity incidents.

SVR Espionage and Potential Implications

SEC Investigators realized that stealing data was the goal as part of counter-intelligence, and that the attacks were similar to ones from previous months. They blamed SVR, the foreign intelligence service of the Russian Federation.

Chris Krebs, the former CISA director, accepted some responsibility for the government breach. He warned that this was not a one-time event, but part of a wider and ongoing effort by foreign intelligence and other bad actors.

Many concluded the hackers were interrupted long before they were able to use the hack to its full potential, given the hackers potentially had access to information on:

  • Planning for sanctions against Russia
  • S. nuclear facilities and weapons stockpiles
  • Indictments and filetaps from court systems
  • Election-system security
  • Software vulnerabilities

Securities and Exchange Commission Investigation into the Solarwinds Orion Hack

The U.S. Securities and Exchange Commission stated in SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures that SolarWinds’ lax security measures had existed for five years. But it was the investors’ suspicious $315 million stock sale that triggered its investigation.

Legal representatives for the government began to make noise, summoning the company’s C-suite to a hearing. In response, SolarWinds engaged the (since fired) former head of CISA to help communicate with the government.

Government Charges SolarWinds CISO Over SolarWinds Orion Software Cyberattack

Dark Reading reports that SolarWinds and its CISO, Tim Brown, were charged with “fraud and internal control failures.”

Their report said that he told a colleague he’d lied to a cybersecurity firm about not being aware of having seen similar activity. And the SEC accused him of personally profiting from the sale of shares. The SEC’s main gripe seems to be this difference between internal company discussions and what was disclosed externally to customers and investors, with internal messages showing staff members were aware of this.

There are other SEC charges against SolarWinds, including overinflated stock prices enabled by “materially false and misleading statements.” For example, the SEC said that SolarWinds claimed they’d implemented the National Institute of Standards and Technology (NIST) framework, when they’d only established it in part.

SolarWinds’ response was to express disappointment, complain of the SEC’s “overreach,” and warn of the “alarm (to) all public companies and committed cybersecurity professionals across the country.”

Both SolarWinds and Brown have vowed to fight the charges.

In early November 2023, the company published a blog post on Setting the Record Straight, reiterating that “The SEC’s lawsuit is fundamentally flawed,” making specific mention of the accusations they’d not followed the NIST’s cybersecurity framework (CSF) and the claims they’d hidden information on the attack.

Are CIOs and CISOs on the Hook for Hacks?

Many in the industry fear this precedent has triggered the potential for CIOs and CISO to be held personally liable for data breaches by insurers, users, or the government.

To assess how likely this is, let’s first look at what CIOs and CISOs are and how changes in insurance and cybersecurity industries might affect the situation.

What Are CIOs and CISOs?

Let’s explain the difference so we know who may now be held personally responsible:

  • A Chief Information Officer (CIO) has oversight of an organization’s overall strategy around information systems and resources that support business goals.
  • A Chief Information Security Officer (CISO) has responsibility for the cybersecurity of these information systems and resources.

Cybersecurity Insurers Are Beefing Up their Requirements

Insurers are becoming ever more savvy about security risks and associated costs, including those they should not cover. For example, they are hiring their own cybersecurity consultants and staff.

For further information, see Cybersecurity Insurance Hacks Out an $80 Billion Niche.

The Government Is Making CISOs Personally Responsible

The Securities and Exchange Commission investigation Into the SolarWinds Orion Hack and their subsequent charging of not only SolarWinds, but their CISO— will send a shudder down the spine of any security professional with senior responsibility for security. The developments arising in the wake of the SolarWinds hack—the unauthorized intrusions, access control, lack of oversight, data thefts, breaches, and far-ranging legal consequences are especially alarming for those who oversee the security posture of their organization, its products and services. It will certainly make those who collect, access, use, or otherwise process government data sit up and pay attention.

What Effect Will this New Direction Have on the CIO/CISO Profession?

While it’s still too early to tell for certain, this legal development certainly raises a number of questions for those in the C-suite: Which one of us would voluntarily sign up to risk potential bankruptcy for the sake of our employer? How will the CISO profession survive if staff will be personally liable? And, how does making them personally responsible work in practice?

How these questions resolve in law and practice will show us how the profession may change. In the interim, it will undoubtedly prompt discussions between companies and top staff about how the firm will protect them from liability.

Did the SEC Freeze Internal Cybersecurity Discussions on Security Risks?

SolarWinds thinks so. They warn in Setting the Record Straight of the paralyzing effect on free internal discussion—with every CIO, CISO, or security engineer under threat that their words may be taken down and used in evidence against them.

CIOs and CISOs Are Taking Their Expertise and Going Freelance

To try to avoid potential liability, there is a sense that some CISOs are leaving roles in companies to become freelancers.

If an experienced CISO can earn a lucrative living from going freelance—parachuting in to help companies without the added constant worry of personal consequences if things go awry, and dealing with the list of headaches when they do—then why wouldn’t they?

Did the SEC Make Things Easier for Hackers?

SolarWinds has doubled down on its denial in Setting the Record Straight, insisting they’ve been transparent. They state that the SEC’s precedent means that, if companies reveal very detailed information on vulnerabilities following future hacks, this information would “would be useful to hackers looking for vulnerabilities to exploit.”

Are You a CIO or CISO Personally Affected by this New Direction?

Our professional reputation is a high-value commodity. The question now is whether, following a catastrophic failure in their company’s security posture, professional CIOs and CISOs are willing to absorb these new and onerous liability consequences, including ones that may land them in court on their own dime.

Assess Your Security

If you’d like to see if your business lacks any of the security features that might make it vulnerable to this sort of hack, sign up for a Compliance Audit from Sagacent Technologies.