The SolarWinds supply chain attack began at least as early as January 2019, according to SolarWinds President and CEO Sudhakar Ramakrishna during a Wednesday keynote at RSA Conference 2021.
The session -- titled "SolarWinds: What Really Happened?" -- concluded the morning's keynote sessions on the third day of this year's RSA Conference. Conducted via an interview structure, Forrester Vice President and Group Director Laura Koetzle asked Ramakrishna about the massive supply chain attack disclosed last December and how he and the company responded to the breach.
The biggest revelation from the discussion was that, through the assessment of hundreds of terabytes of data, SolarWinds now believes the attack began earlier than the company previously reported.
"What we have found more recently is that the attackers may have been in our environment as early as January 2019. We published, obviously, that it was in the September-October timeframe, but as we looked back, they were doing very early recon activities in January 2019, which explains, I would say, what they were able to do in September-October 2019 as well," Ramakrishna said.
As for the rest of the discussion, it began with a timeline of the events following initial disclosure.
Multiple points were touched on, including SolarWinds' announcement on Dec. 9 that Ramakrishna would become SolarWinds CEO on Jan. 4, and how Ramakrishna found out about the compromise of SolarWinds' Orion IT performance monitoring platform during his birthday dinner on the night of Dec. 12; the compromise became public knowledge the next day.
The CEO recalled the story of when SolarWinds Chief Administrative Officer Jason Bliss, then chief legal officer, called Ramakrishna to give him the news that a backdoor had been found, though many of the details weren't known at the time.
"When you talk about backdoors, not immediately does a supply chain backdoor come to your mind because there's a lot of different ways backdoors can be installed," Ramakrishna said. "What I said to him at the time was, it's quite ironic that he talked to me about a security incident that day, because just that morning, as I was preparing for January 4, and I was preparing a list of things to focus on -- one of them being the security posture of the company -- I did not realize at that time that I would be focused on that as my top priority when I joined the company."
When the true scope of the attack was revealed, the then-incoming chief executive "received a lot of feedback" from people in his life advising him to back out of the job, telling Ramakrishna that he "had nothing to prove." The reason he stayed with SolarWinds, he said, was out of his self-described stubborn optimism.
He had a discussion with SolarWinds Chairman William Bock where Ramakrishna offered to step down in favor of former CEO Kevin Thompson if maintaining continuity was necessary, but, ultimately, Ramakrishna became CEO as planned and had the support of Thompson to navigate the crisis.
"I felt that continuity and urgency were super important in this situation, and having a new CEO come in and figure out the team, figure out the procedures, understand the issues could be time-consuming," Ramakrishna said. "And I had offered to [Bock], if the right decision was to continue on with the previous CEO, that I would be totally fine, given the needs of the company and given the needs of the customers."
Koetzle and Ramakrishna also discussed customer outreach, lessons learned from Ramakrishna's previous CEO experience at Pulse Secure and how attackers stayed undetected -- namely by "doing everything possible to hide in plain sight," though he did not describe any specific tactics or techniques that the attackers used.
Concluding the discussion, Ramakrishna was asked about whether he had fired or would fire certain personnel like CISO Tim Brown following the supply chain attack. Ramakrishna said he got a variety of advice on the topic but decided against following it because he sees Brown as highly competent and believes no one employee was responsible for the attack.
Ramakrishna was also asked about the unnamed intern who was blamed for creating a weak password to protect company resources during the SolarWinds congressional hearing on Feb. 26. During the hearing, Ramakrishna and Thompson were asked by committee members about reports that some SolarWinds resources were protected with weak passwords such as "solarwinds123." Thompson said it was a mistake made by an intern that violated the company's password policies.
During the keynote, Ramakrishna expressed regret for the remark.
"What happened at the congressional hearings where we attributed it to an intern was not appropriate and was not what we are about," Ramakrishna said. "We have learned from that, and I want to reset it here by saying that we are a very safe environment, and we want to attract and retain the best talent."
Alexander Culafi is a writer, journalist and podcaster based in Boston.