Tim Brown will always remember December 12, 2020.
This was the day SolarWinds, a software company, learned it had been hacked by Russia.
As the chief information security officer, Brown quickly grasped the impact. The hack could potentially affect any of the company’s more than 300,000 customers globally.
The breach enabled hackers to remotely access systems of customers using SolarWinds’ Orion networking software, which included the U.S. Department of the Treasury, the National Telecommunications and Information Administration, and numerous businesses and public organizations.
Brown mentioned he was “running on adrenaline” during the initial days following the breach.
Amid full-time remote work due to the COVID-19 pandemic, the company’s email system was compromised, rendering it unusable for internal communication.
“We stopped taking calls, and everyone came into the office for COVID-19 testing,” Brown recalled. “I lost 25 pounds in about 20 days. I just kept going.”
He has been featured on CNN and 60 Minutes, along with major newspapers.
“The world is on fire. We’re working to inform people about what is secure and what isn’t.”
Brown indicated the company moved to Proton email and Signal during the email breach, as he received calls from companies and government entities worldwide, including the U.S. military and the COVID-19 vaccine initiative, Operation Warp Speed.
“People prefer spoken communication to written communication. That’s a crucial lesson. You can document things, but people want personal interaction,” said Brown during a talk at Cybercon in Melbourne.
“They want to hear the nuances, so it’s vital to be ready for that kind of response.”
How did the cyberattack unfold?
The notification of the breach came via a call from Kevin Mandia, the founder of cybersecurity firm Mandiant, to SolarWinds’ then-CEO, Kevin Thompson.
Mandia informed Thompson that SolarWinds had “shipped contaminated code” within its Orion software, which aids organizations in monitoring their networks and servers for outages.
According to Mandia, the exploits in Orion were utilized to infiltrate government agencies.
“What you can see from that code is that it wasn’t ours, so we realized right away this was serious,” Brown recalled.
Brown stated that SolarWinds was not the main target of the hack but served as a “conduit to it.” Photo: Sean Davey/The Guardian
The Texas-based company discovered that 18,000 people had downloaded the contaminated product, and hackers, later attributed to Russia’s Foreign Intelligence Service, managed to inject it into Orion’s build environment where the source code is converted into software.
The news broke on a Sunday, and SolarWinds released the announcement before the stock market opened on Monday.
Initial estimates suggested that as many as 18,000 customers might be impacted, which later adjusted down to approximately 100 government agencies and businesses that were truly affected.
“I wish I had known that on the first day, but that’s the reality,” Brown says. “We weren’t specifically the target; we were merely a gateway to it.”
SolarWinds enlisted the help of CrowdStrike, KPMG, and law firm DLA Piper to respond and investigate.
Aftermath: heart attack
For the next six months, SolarWinds suspended the development of new features and redirected its team of 400 engineers to focus on systems and security to restore the company’s stability.
“We prioritized transparency—how can we ensure people understand what threats there are, how those actors operate, how they gather information, how they execute attacks, and how they withdraw?”
Brown noted that the company’s customer renewal rate dropped to around 80% in the aftermath but has since risen back to over 98%.
However, legal consequences soon followed.
In 2021, the Biden administration enacted sanctions and expelled Russian diplomats in response to the attack.
In 2022, SolarWinds settled a class action suit related to the incident for $26 million. The Securities and Exchange Commission (SEC) initiated a lawsuit against SolarWinds and Brown personally in October 2023, alleging that the company and Brown misled investors regarding cybersecurity measures and failed to disclose known vulnerabilities.
Mr. Brown has remained with SolarWinds since the cyberattack. Photo: Sean Davey/The Guardian
Brown was in Zurich when he became aware of the charges.
“As I ascended a hill, I felt out of breath, my arms were heavy, and my chest was tight—I wasn’t getting enough oxygen,” he recalled. “I made a poor decision and flew home. I couldn’t walk from the terminal to my car without pausing; it was a journey I had made countless times.”
He was experiencing a heart attack. Upon returning home, his wife took him to the hospital for surgery, after which he recovered.
“The stress continued to mount, leading me to think I was handling it well without proactively visiting a doctor,” he explained.
Now, Brown is advocating for companies facing similar crises to engage psychiatrists to assist employees in managing stress.
“My stress levels were at a peak, and I was really close to the edge, though the pressure had been building for a while.”
A proposed confidential settlement with the SEC was announced in July but still awaits approval. The finalization of the agreement has faced delays due to the U.S. government shutdown.
Mr. Brown has remained with SolarWinds throughout this entire ordeal.
“This happened on my watch, and that’s how I perceive it. There are factors that contributed, like a state-sponsored attack, but it still occurred under my supervision,” he reflected.
“I admit I can be stubborn, but it was paramount for us to navigate this entire process, and leaving before it was resolved wasn’t an option.”
Source: www.theguardian.com
