#RSAC: Lessons Learned From the Solarwinds Sunburst Attack

  • One of the most impactful attacks in recent years was the SolarWinds attack in 2021 that involved malware now known as Sunburst.

    In a panel session at the RSA Conference 2022, Sudhakar Ramakrishna, president and CEO of SolarWinds was joined by Kevin Mandia, CEO of Mandiant, Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (CISA) and moderator Niloofar Razi, Sr., operating partner, Energy Impact Partners. The panel discussed lessons learned from the SolarWinds incident and how government, security vendors and private companies can all work together to help improve security.

    Easterly said that the initial SolarWinds attack was not discovered by SolarWinds or by the US Government it was discovered by Mandiant’s predecessor company, FireEye.

    “With the SolarWinds attack, even though it impacted many government agencies, it was discovered by a private sector company,” Easterly said. “That really taught me the importance of building a model where the private sector and the government are working together collaboratively to put together the pieces of the puzzle.”

    SolarWinds Lessons Learned on Disclosure

    Ramakrishna joined SolarWinds as its CEO just as the information about the attack was being discovered.

    “Suffice it to say I joined the company in unusual circumstances,” he said

    While the incident was a huge challenge, Ramakrishna said he was proud of the approach his company took to disclosure and working to remediate issues. He said that SolarWinds was committed from the beginning of the incident to being transparent about what it knew and didn’t know about the attack.

    Collaboration and communication with security partners and the US government, as well as having a sense of urgency to do something to help mitigate risks, was a key part of the process as well. Ramakrishna said that what was also important during the whole attack incident was to have humility.

    “When you think about humility, what I mean is the endeavor to constantly learn, constantly iterate and improve,” he said.

    The Sunburst attack is what is known as a supply chain attack, which Ramakrishna said isn’t a new thing necessarily. What was innovative about the attack, in his view, was the sophistication of the attackers. He explained that in a matter of a few microseconds, the attackers could inject malicious code into the SolarWinds software build system in an approach that was very difficult for any tool to identify.

    Mandia, whose organization was also impacted by the SolarWinds attack, explained that the attackers were very specific in what they took from victims. Mandia explained that the Sunburst attackers executed keyword searches that were unique to each victim, primarily going after email. Mandia noted that as soon as he became aware of the attack, he knew that it was a big deal that would need to be disclosed responsibly as quickly as possible.

    “The reason why I believe the attack got so much attention was not so much due to the maliciousness of the code that was injected itself as much as the tradecraft that went behind it, “Ramakrishna said. “It wasn’t like the run-of-the-mill virus or ransomware that has been implemented to create the most damage in the fastest possible time.”