It may seem odd that an obscure Austin, Texas-based company is believed to be at the center of a widespread Russian hacking campaign against the U.S. government and private companies. But experts say it makes a perfect target.
That's the situation that SolarWinds finds itself in. The network management company was the target of hackers working for a "nation-state," CEO Kevin Thompson said in a statement Monday. The breach is serious enough to have triggered an emergency directive from the U.S. Cybersecurity and Infrastructure Security Agency, instructing all government agencies to halt the use of a compromised version of SolarWinds software that was delivered by an automatic software update.
Like many business technology companies, SolarWinds may not be a household name, but its reach extends around the world. Its primary service is to provide software that manages devices on large computer networks used around the world. The company said it has more than 300,000 customers around the world, including a number of U.S. agencies and most Fortune 500 companies, although it removed the claim from its website Monday.
That deep access to secretive networks that tend to have strong cybersecurity means hackers are going to go after companies like SolarWinds, said Dmitri Alperovitch, a co-founder of the cybersecurity firm CrowdStrike and chair of the Silverado Policy Accelerator.
"It's the ultimate supply chain hack," Alperovitch said in a phone interview. "It's a company that's got remote access to hundreds of thousands of organizations around the world, including some of the biggest companies and the most critical government agencies. And by simply compromising them, you immediately open up the door to all these targets.
"There are lots of companies like this that provide information technology management capabilities, cybersecurity capabilities, that many people would not be aware of but have incredible access to network infrastructure," he said.
The culprit was Russia's SVR intelligence agency, according to a private cybersecurity official briefed about the matter, and the list of victims includes the Commerce Department, the cybersecurity firm FireEye and, according to reports, the Department of Homeland Security.
Michael Daniel, President Barack Obama's White House cybersecurity adviser, said spies working for an agency like the SVR would be willing to put substantial effort into hacking a company like SolarWinds, given how much payoff it could provide.
"It would give you big, broad access to a network," said Daniel, the head of the Cyber Threat Alliance, an industry group that coordinates information sharing among cybersecurity companies. "It's the kind of target a foreign intelligence service would select and work over an extended period of time in order to gain access to carry out their espionage mission."
While the potential access that the SVR has had for several months is enormous, Alperovitch said, the agency would at least be limited by how many trained officers could leverage the hack.
"The good news here, if you want to look for a silver lining, is no intelligence agency has enough human power to go after everyone," he said.
"That's the good news. The bad news is they had nine months to cherry-pick and go after the best of the best."