back to article SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year

In an 8-K filing to the US Securities and Exchange Commission, SolarWinds has given more details on exactly how it learned its servers were spewing out malware. The notice [PDF] says that FireEye notified the network management biz's CEO (who had only been on the job for three days) of a serious security issue on 12 December. …

  1. Anonymous Coward
    Anonymous Coward

    $286 worth of shares

    I'm guessing that should be £286M, as shown by the link!

    1. Anonymous Coward
      Anonymous Coward

      Re: $286m worth of shares

      $, not £

      But I find it highly suspicious that the old CEO along with Venture Capitalist investors bailed out 5 days /before/ FireEye told them about the hack.

      What's the betting that the SEC investigation will find some WhatsApp message from the CEO to his VC chums: "Shit is hitting the fan. Sell!"

      Either the company noticed the hack a few days before FireEye did but kept quiet about it, or they were complicit much earlier.. and that could attract more serious charges than just fraud and insider trading..

      At a minimum, whoever bought those shares has been defrauded, and the national security of every country in the world outside Russia and China has been severely compromised by their incompetence.

      But if we consider malice, Kevin Thompson and Tim Brown may not just be guilty of fraud, but also espionage and treason in 100 different countries.. That's 100 trials he could face, some of which would be considering a death penalty.

      No wonder he ran away leaving his $1.4m salary behind

      1. A random security guy

        Re: $286m worth of shares

        a. He is going to have a huge army of lawyers defending him.

        b. Having been involved in responding to a few hacks, I can say that FireEye must have been in communication with the CEO BEFORE they came to the conclusion that there was a hack. There is a lot of communication that happens between the two parties.

        I bet, given a court order, FireEye will give the exact truth and nothing else but the truth.

  2. sitta_europea Silver badge

    ""We never interfere in Africa's internal affairs and wouldn't do anything that harms the interests of the African side," the Chinese mission to the AU said in a statement."'

    Oh, that's all right then.

    1. don't you hate it when you lose your account

      Of course not

      We just built the building

  3. Pascal Monett Silver badge

    "a dummy run to see if the intrusion would be detected"

    And it wasn't.

    Hacked twice, and stayed blind until 18K customers were infected.

    Congrats on the quality of your monitoring software, SolarWinds !

  4. MiguelC Silver badge

    As the old trope goes

    In Chinese-built African buildings walls listen to you

  5. fidodogbreath

    Pot, kettle, etc.

    Czech security shop Avast issued a warning that up to three million Chrome and Edge users could have been infected with malware hidden in browser extensions.

    Well, sure; their browser security experts have a lot of experience with software that violates user trust.

    1. aoecnrideuhtdi

      Re: Pot, kettle, etc.

      The old adage, it takes one to know one, is unfortunately more accurate than would be nice.

  6. nxnwest

    Dummy Run

    All dummy runs here in the US have a multitude of potential participants.

    1. mevets

      Re: Dummy Run

      All your dummies are belong to US(A).

  7. Anonymous Coward
    Anonymous Coward

    "A small UK telco"

    A small nit pick... Guernsey's not in the UK.

    If the UK catch on that people think it's part of the Union, they'll be wanting more tax out of us!

  8. Wim Ton

    Signed updates

    Just curious: were the updates digitally signed?

    1. cyberdemon Silver badge

      Re: Signed updates

      Of course they were signed!

      Read the original FireEye report - it makes for grim reading.

      This is why I prefer to do my updates manually, at least a few days late. But given that this 'update' lay dormant for 2 weeks before pwning the system, even that strategy may not have helped.

      I really detest the idea of automatic software updates. It makes it too easy for a bait-and-switch by the software developer, a rogue employee, or someone who stole their signing key.

      1. Brian Miller

        Re: Signed updates

        What the report (or SolarWinds) doesn't mention is how the binaries were signed.

        Where I work, I'm the one who worked out our signing process. We use a HSM, very limited access, and the access tokens are valid for a short window. For our system, basically the final binaries would have to be swapped out at the final stage of the build, before the signing happens. Possibly feasible, but the binary would have to also match the development-release binary, too.

        Using a HSM means the private signing key can't be exported, so it's at least locked to that box. The limited access means that the account of the authorized individual would have to be compromised, which is, of course, feasible. There are a number of checks of the final signed binary before release, so that cuts down on the probability that a rogue binary would be delivered to customers.

        Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.

        1. Anonymous Coward
          Anonymous Coward

          Re: Signed updates

          > Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.

          Out of curiosity (as opposed to business research), what if my country decided to kidnap your family and then asked you if you would be kind enough to sign this executable instead of that one? Would that work?

          Also, what if your CA (Certificate Authority) gets compromised and issues a certificate that someone else uses to distribute their improved version of your software?

    2. A random security guy

      Re: Signed updates

      Typically, I used authenticate certificates to sign binaries when I was doing Windows DLLs.

      I still remember auditing our supply chain and asking a vendor what they did for signing key protection. They said that it was very secure as it was on only one person'e laptop and they had anti-virus software.

      In another case, all the binaries were automatically signed with the production certificate. The CI server was signing everything. Sort of makes the process of signing unimportant.

  9. Anonymous Coward
    Anonymous Coward

    Poisoned Chalice

    > "The notice says that FireEye notified the network management biz's CEO (who had only been on the job for three days)"

    I knew this guy who got this position in the Arctic at the last minute before the site becomes unreachable for the winter. When he got there his first job was to prepare the corpse of his predecessor for air evacuation (the job where a rope is tied to the coffin with a balloon at the other end and a C-130 hooks the rope and winches the lot up).

    Always ask why a vacancy has opened.

  10. Anonymous Coward
    Anonymous Coward

    "Rayzone Group, an Israeli private investigations firm"

    By the same token, Cozy Bear is also a private investigations firm.

  11. That 8 Bit Guy

    One of the best quotes from a fictional technical engineer that holds true today.

    "The more they overthink the plumbing, the easier it is to stop up the drain".

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like