In December of 2020, it was revealed that a software company called Solar Winds had been breached by a group of hackers believed to be controlled by the Russian government. While companies get hacked all the time, this breach was far more serious than anything that had happened before. This is because it was a so-called supply chain attack. The hackers weren't interested in Solar Winds in and of itself.

Rather, they used Solar Winds to create back doors into its customers. Solar Winds had a near Monopoly in its Niche with over 275,000 customers, including 425 of the Fortune 500 companies and hundreds of government agencies around the world by hacking into Solar Winds. The Russian Intelligence: Services were able to plant back doors into all of Solar Winds customers, allowing them to download some of the most sensitive data from thousands of the world's most important corporations and government entities. In the aftermath of the attack.

Solar Winds Tred to defend themselves by emphasizing the sophisticated nature of the hackers. Being a relatively small company as they were, they didn't have the resources to defend against a well-planned attack from an adversarial nation state, but recent Revelations paint a different picture. In October of 2023, the Securities and Exchange Commission filed charges against Solar Winds and its Chief Information Security Officer Timothy Brown who held that position before the hack and retains his position to this day. According to the complaint, Solar Wind's senior management team knew about the egregious cyber security vulnerabilities for years before the attack.

Not only did they fail to remedy these vulnerabilities, they actively deceive their customers and investors about these risks. In this video, we'll tell a story of how years of incompetence created the conditions for the largest Cyber attack in US history. Solar Winds is an Enterprise software company. Their main product Orion helps it professionals monitor their internal servers and other it infrastructure for example, a large corporation.

May operate dozens or even hundreds of servers. Orion allows an IT professional to monitor whether or not these servers are all functioning properly. If some of the servers are over utilized, they can route workloads to underutilized servers and vice versa, which increases efficiency and allows for faster Computing across the organization. For Orion to work, the customer must indirectly give Solar Winds access to all of its servers.

This requires customers to have a high degree of trust between Solar Winds and its customers. Customers must be confident that Solar Winds will safeguard access to their servers and take prudent measures to prevent cyber attacks to reassure their customers. Solar Winds published a lengthly security statement on their website which outlined the company cyber security measures specifically. They claim that all of their products are developed based on a secure development life cycle.

The secure development life cycle follows Standard Security practices including vulnerability testing, regression testing, penetration testing, and product security assessments. They also claim to enforce a rigorous password policy. Internal passwords were to be changed every 90 days, have a minimum length of eight characters, and include three of the four following characteristics: uppercase letter, lowercase letter, a number, and non a numeric character. All their databases of passwords would be encrypted, so even if a hacker was able to access the raw data in the database, they shouldn't be able to read the passwords.

Over the years, Solar WIS established Orion as the leading Network management software by 2020. They bragged that they had 275,000 customers, including 425 of the US Fortune 500, all five branches of the US military, numerous government agencies, and all the top five Us accounting firms. It's not uncommon for companies to brag about their high-profile customers. This is a great way to burnish your image and gain credibility.

but this impressive customer list was also noticed by the Kremlin for all the wrong reasons. Most major governments, including Russia China Iran, and probably even the United States employ thousands of hackers whose sole goal is to breach their adversaries government servers in an attempt to gain a geopolitical Advantage for Russia, The biggest price would be to hack into the US Military and other government agencies. Of course, the US government knows this. so they enforce strict cyber security measures, conduct extensive background checks on government employees, and only allow employees to use secure government-owned computers.

This makes it extremely difficult to hack a government agency directly. When the front door is too strong, you start looking for side windows, and Solar Winds was the perfect side window. They bragged that all branches of the US Military and numerous government agencies use their software. Thus, compromising Solar Winds would be a veritable gold mine for Russia's intelligence agencies.

Remember that Solar Winds predit fin its commitment to cyber security. As outlined by their security statement, this perception of Solar Winds as a safe cyber counterparty was a key selling point for potential customers. As early as 2018, some Solar Winds employees took note that for many of their products, they did not implement the cyber security protocols that they advertise in their security statement. In an internal email dated January 2018, a Solar Winds employee said quote: I've gotten feedback that we don't do some of the things that are indicated in the security statement.

Secure Development Life Cycle section. There there is Improvement needed to be able to meet the security expectations of a secure development life cycle. We will be working with teams throughout 2018 to begin incorporating the Sdl into their development life cycle. Unquote, Solar Winds knew that they were not in compliance with their own security statement, which they advertise to their customers.

Their original plan was to work hard throughout 2018 to come into compliance. Of course, this didn't happen and the reason for this is simple greed. Developing and maintaining software, especially software as complicated as what So Winds made, is a difficult and labor intensive process. Making software that has robust as cyber attacks is even harder.

Software Engineers are expensive and Solar Winds only had a limited number of them. They wanted the majority of their programmers to focus on developing and launching new products as that's the driver of Revenue growth. They don't want to divert resources to cyber security as that doesn't directly generate. Revenue They only had a skeleton team dedicated to cyber security and this team was completely overwhelmed.

They were identifying huge numbers of vulnerabilities but didn't have time to fix them all so the number of known vulnerabilities just kept piling up. One of these overwhelmed employees emailed his colleague saying quote: we filed more vulnerabilities than we fixed and by fix it often means just a temporary fix. But the problem is still there and it's Huge. I Have no idea what we can do about it.

Even if we started to hire like crazy, which we most likely will not, it will still take years. Can't really figure out how to UNF This situation? Not good. Unquote: hiring more cyber Security employees would cost money, which would mean lower profits. This was something that Solar Wind senior Management team wasn't willing to accept.

Perhaps the most outrageous example of Solar Wind cyber security incompetence was uncovered by an independent Cyber Security researcher in 2019. India Based Cyber Security researcher Venth Kumar stumbled across a publicly available GitHub repository posted by a Solar Winds intern. This code contained the password to one of the company's servers, which was Solar Winds 123. As it turns out, many of the passwords throughout the organization were not strong.

For example, the default passwords for many of their products was the word password. Many of their passwords were stored in unencrypted plain text files. It is not believ that the hackers used this specific GitHub repository to infiltrate Solar Winds, but it shows the lack of internal controls at the company Whereby an intern was in charge of sending the password to one of their servers. he was apparently not told that he shouldn't be putting all the code on GitHub for the world to see.

Hackers would eventually exploit a much more fundamental and systemic vulner ility. Many of Solar Wind's employees worked from home. They were not required to use company computers. They could work using their own computers and cell phones to access Solar Wind's virtual private Network or VPN.

On Solar Wind's company computers, they had data loss prevention software. This notifies administrators when someone downloads sensitive files, makes changes to various security settings, or uploads code to Solar Wind servers. This software has to be installed on their computer. So for remote employees using their own computers, whatever the employe employee does is basically untraceable.

In 2018, a Solar Winds employee notified his superiors about this vulnerability. In an internal email. He complained that when accessing the Solar Wind's VPN, an employee can basically do whatever they want without us detecting it until it's too late. Despite this warning, Timothy Brown and the Solar Winds Information Security Team did nothing to fix this vulnerability.

They presumably decide that fixing this problem would be too complicated and costly. They just take their chances and hope for the best in or around. Jan Ar Ar of 2019 A group of hackers now believed to be connected to the Russian Intelligence Services were able to obtain credentials to log into Solar Wind's VPN remotely. It is not known how they obtained these credentials.

They may have stolen it from a Solar Winds employee via a fishing attack, but given Solar WIS failure to enforce its password strength policy, it's also possible that they just guessed the password because of the vulnerabilities discussed previously. Solar Went administrators had no way of knowing that an unauthorized actor had gained access to their corporate Vbn due to Solar Winds liberal use of Admin permissions. The credentials stolen by the hackers were for an Admin account. They were thus able to access privileged databases with customer information and disable antivirus software from the inside.

The hacker downloaded 7 million internal Solar Winds emails which contained a treasure Trove of information about cyber security vulnerabilities across the organization. Once inside the company, VPN the hackers were able to access Solar Wind software development environment and insert malicious code into the update packages for the Orion platform. These updates were installed by customers between March and June of 2020. Remember that to use the Orion platform, the customer must give it access to the various servers that it will manage.

Thus, Orion had access to just about all the data across their customer servers. In total, 18,000 customers installed updates with the malware included. While the hackers technically had access to 18,000 companies, they only infiltrated the servers of an estimated 40 to 50 organizations. Whenever they enter an Orion customer servers and start downloading data, there's a chance that they'll be detected by that organization's own cyber security protocols.

Given the risk, it's only worthwhile for the hackers to steal data from a select number of high value targets. These targets include the US Departments of Treasury Homeland Security State and defense. The private sector corporations impacted were primarily technology companies, including Microsoft Intel Cisco VMware and the cyber security firm Fireye. The choice of targets is quite interesting.

The hackers focus on technology and cyber security companies. remember that once they start breaching the customer servers, they risk being exposed. Obviously, the riskiest company to breach is a cyber security company, as they are the most capable of detecting the penetration. To take this risk, the reward must have been commensurately high.

The hackers were playing the long game. They specifically wanted to infiltrate cyber security companies so they could figure out vulnerabilities in existing cyber security methods. This will allow them to perform even more successful hacks going forward. In May of 2020, an unidentified US government agency, which which used the Orion software, noticed that it was making unusual attempts to contact unknown websites.

it appeared that the Orion software had been compromised. The government agency contacted Solar Winds, asking them to investigate. Solar Winds Security team indeed found evidence that a hacker had likely had access to the Orion platform since at least mid 2019, But due to their understaffing and poor detection measures, they were unable to identify the source of the breach as Chief Information Security Officer Timothy Brown was aware of this breach and realized that there was a huge number of vulnerabilities across the platform. Given the underst Staffing of the security team, it would likely take them years to identify the root cause of the breach and fix all the associated vulnerabilities.

They never disclos these issues to their investors or customers. All the while Brown was busy dumping his personal Holdings of Solar Wind stock. After he was made aware of the breach at the US Government Agency, he sold well over $100,000 worth of Solar Win shares. In October of 2020, an unidentified cyber security firm which was also a customer contacted Solar Winds saying that they had been the victim of a Cyber attack seemingly related to the Orion platform.

The details of the breach were extremely similar to the breach of the US government agency in May. Thus, at this point, the Orion platform had undoubtedly been compromised. The hackers were able to use this as a back door into multiple of their customers. Solar Winds told the second victim that there had been no previous issues with the Orion platform.

This was a blatant lie. Telling the truth about the compromise would risk causing their customers to lose confidence and cancel their subscription so they decide that they are better off covering it up and hoping the breach goes undetected. The Shad finally came to an end in December of 2020 when the hackers used the Orion back door to infiltrate a cyber security company called Firey in early. December Fire's It team received a request from an employee to register a second cell phone for two-factor authentication.

Out of an abundance of caution, the IT team called that employee asking if he indeed was trying to register a second phone. The employee had no idea what they were talking about. He didn't even have a second cell phone. At this point, Firey knew that they had been breached.

A hacker had somehow stolen that employees credentials and was trying to register their own phone to do two. Factor Authentication Being a cyber security company, Firey have the tools to find the root cause of the breach. The hacker was highly sophisticated and hid their tracks well. According to Fire Eyes.

CEO, they had to manually look through over 50,000 lines of code across all their servers and software before finally identifying the malicious back door. Sure enough, they found that the malware was hiding in an update to the Orion platform, which they had installed a few months prior. They named the attack Sunburst and went public with their findings on December 13th. At this point, Solar Winds was no longer able to cover up the breach.

They had to admit that thousands of their customers, including dozens of US government agencies, were likely affected. One of the most shocking things about the Solar Winds Affair is despite the extreme incompetence that allowed the breach to occur, none of the senior management team has been fired. To be fair, the CEO Sudakar Ramach Krishna was hired on December 9th just days before before the Cyber attack was exposed. The previous CEO stepped down for reasons unrelated to cyber security, but it's a different story for Chief Information Security Officer Timothy Brown.

He knew of the company's vulnerability since at least 2018, lied to Solar Wind's customers about their cyber security practices, and actively tried to cover up the breach even after the evidence became irrefutable in October of 2020. He is currently defending himself against the fraud lawsuit brought by the SEC for these exact reasons. He had one job for which he failed completely completely and in the most egregious way yet to this day, he retains his position. While the Sunburst breach exposes the vulnerability of cyber attacks in an increasingly digitized World, there is one silver lining.

No matter how sophisticated a hacking group is, they don't have superpowers. The only reason they were able to hack Solar Winds is because of vulnerabilities that Solar Wind senior management team knew about but failed to fix for years. From a technical perspective, the tools to defend against such cyber attacks already exist. The real problem is that many corporations under invest in cyber security in an effort to cut costs and boost short-term profits ultimately at the expense of National Security Until corporate executives are held accountable for their failures, this is unlikely to change.

All right guys, that wraps it up for this video. What do you think about Solar Winds? Why do you think they didn't fire? Timothy Brown After his failings were exposed, let us know in the comments section below. if you've enjoyed this video, make sure you subscribe to the channel so we can bring you the most important stories in the worlds of business economics. And Technology As always, thank you so much for watching and we'll see you in the next one! Wall Street Millennial Signing out.