SolarWinds Corporation is an American company that develops software for businesses to help manage their
networks,
systems, and
information technology infrastructure. It is headquartered in
Austin, Texas, with sales and product development offices in a number of locations in the United States and several other countries.[3] The company was publicly traded from May 2009 until the end of 2015, and again from October 2018. It has also acquired a number of other companies, some of which it still operates under their original names, including
Pingdom, Papertrail, and
Loggly.[4] It had about 300,000 customers as of December 2020, including nearly all
Fortune 500 companies and numerous agencies of the US federal government.[5][6]
A SolarWinds product, Orion, used by about 33,000 public and private sector customers, was the focus of a
large-scale attack disclosed in December 2020. The attack persisted undetected for months in 2020, and additional details about the breadth and depth of compromised systems continued to surface after the initial disclosure.[7] In February 2021,
Microsoft President
Brad Smith said that it was "the largest and most sophisticated attack the world has ever seen".[8]
History
SolarWinds began in 1999 in
Tulsa, Oklahoma, co-founded by Donald Yonce (a former executive at
Walmart) and his brother
Dave Yonce.[9][10][11][12] SolarWinds released its first products, Trace Route and Ping Sweep, earlier in March 1998 and released its first web-based
network performance monitoring application in November 2001.[13] According to Michael Bennett, who became the chief executive officer in 2006,[14] the name SolarWinds was chosen by an early employee and the company has nothing to do with
solar or
wind power.[15] In 2006, the company moved its headquarters to
Austin, Texas,[10] where about 300 of the company's total 450 employees were based as of 2011.[9] The company was profitable from its founding through its
IPO in 2009.[16]
During 2007, SolarWinds raised funding from
Austin Ventures,
Bain Capital, and
Insight Venture Partners.[17][18] SolarWinds completed an
initial public offering of
US$112.5 million in May 2009,[10] closing at higher prices after its initial day of trading.[15] The IPO from SolarWinds was followed by another from
OpenTable (an online
restaurant-reservation service), which was perceived to break a dry spell during the
Great Recession, when very few companies went public.[19] Both Bain Capital and Insight Venture Partners backed the IPO and used the opportunity to sell some of their shares during the offering.[16]
Analysts and company executives anticipated continued expansion post-IPO, including several acquisitions.[20] In 2010, Bennett retired as CEO and was replaced by the company's former chief financial officer Kevin Thompson.[10] In May 2013, SolarWinds announced plans to invest in an operations hub in
Salt Lake City, Utah. It was named by Forbes as "Best Small Company in America, citing high-functioning products for low costs and impressive company growth." By 2013, SolarWinds employed about 900 people.[21]
Acquisition by private equity technology investment firms
Silver Lake Partners and
Thoma Bravo, LLC. was announced in late 2015,[22][23] and by January 2016, SolarWinds was taken private in a $4.5 billion deal. At the time, the company had 1,770 employees worldwide with 510 based in Austin, and reported revenues of about half a billion dollars a year.[24]
In November 2017, SolarWinds released AppOptics which integrates much of their software portfolio, including Librato and TraceView, into a single
software-as-a-service package. AppOptics included compatibility with
Amazon Web Services and
Microsoft Azure.[25]
In September 2018, SolarWinds filed for a public offering again, after three years of being owned by private equity firms.[26] SolarWinds completed their public offering on October 19, 2018.[27]
On December 7, 2020, CEO Kevin Thompson retired, to be replaced by Sudhakar Ramakrishna, CEO of Pulse Secure, effective January 4, 2021.[1][28][29]
On January 8, 2021, SolarWinds hired former
CISA director
Chris Krebs to help the company work through the recent cyber attack.[30]
In July 2021, SolarWinds separated its
managed service provider (MSP) business from the main company. The new separately-traded public company is named N-able.[31]
Acquisitions
According to The Wall Street Journal, SolarWinds offers freely downloadable software to potential clients and then markets more advanced software to them by offering trial versions.[32] Following the funding in 2007, SolarWinds acquired several companies including Neon Software and ipMonitor Corp. and opened a European sales office in Ireland.[33]
During and after its IPO in 2009, SolarWinds acquired a number of other companies and products, including the acquisition of the New Zealand–based software maker Kiwi Enterprises, which was announced in January 2009.[34]
SolarWinds acquired several companies in 2011 and was ranked number 10 on Forbes magazine's list of fastest-growing tech companies.[35] In January 2011, it acquired Hyper9 Inc, an Austin-based
virtualization management company with undisclosed terms.[36] In July, SolarWinds completed the acquisition of the Idaho-based
network security company TriGeo for $35 million.[35][37] TriGeo's offices in
Post Falls were added to the list of SolarWinds location which already included satellite offices in
Dallas, Salt Lake City, and Tulsa, as well as operations in Australia, the Czech Republic, India, Ireland, and Singapore.[38] In 2012 SolarWinds acquired the
patch management software provider EminentWare,[39] and RhinoSoft, adding the latter company's FTP Voyager product to SolarWinds' product suite.[40]
In early 2013, SolarWinds acquired N-able Technologies, a cloud-based
information technology services provider. The deal was reportedly valued $120 million in cash.[41] In late 2013, it acquired the
Boulder, Colorado–based database
performance management company Confio Software. With the $103 million agreement, SolarWinds gained a sales office in London and Confio's main product, Ignite.[42] Between 2014 and 2015, the company acquired the Swedish web-monitoring company Pingdom,[43][44] the San Francisco–based metrics and monitoring company Librato (for $40 million),[45] and the log management service Papertrail (for $41 million).[46]
Between 2015 and 2020, SolarWinds acquired Librato (a monitoring company),[47] Capzure Technology (an
MSP Manager software to N-able which SolarWinds had previously acquired),[48] LogicNow (a remote monitoring software company),[49] SpamExperts (an email security company),[50]Loggly (a log management and analytics company),[4] Trusted Metrics (a provider of threat monitoring and management software),[51]Samanage (a service desk and IT asset management provider),[52] VividCortex (a database performance monitor),[53] and SentryOne (a provider of database performance monitoring).[54]
On December 13, 2020, The Washington Post reported that
multiple government agencies were breached through SolarWinds's Orion software.[55] The company stated in an
SEC filing that fewer than 18,000 of its 33,000 Orion customers were affected, involving versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.[5] According to
Microsoft, hackers acquired
superuser access to
SAMLtoken-signing
certificates.[56] This SAML certificate was then used to forge new tokens to allow hackers trusted and highly privileged access to networks.[57] The Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21–01 in response to the incident, advising all federal civilian agencies to disable Orion.[58]
The attack used a
backdoor in a SolarWinds
library; when an update to SolarWinds occurred, the malicious attack would go unnoticed due to the trusted certificate.[69] In November 2019, a security researcher notified SolarWinds that their
FTP server had a weak default password of "solarwinds123", warning that "any hacker could upload malicious [code]" that would then be distributed to SolarWinds customers.[70][71][72]The New York Times reported SolarWinds did not employ a
chief information security officer and that employee passwords had been posted on
GitHub in 2019.[73]
On December 15, 2020, SolarWinds reported the breach to the Securities and Exchange Commission.[74] However, SolarWinds continued to distribute malware-infected updates, and did not immediately revoke the compromised digital certificate used to sign them.[70][75][76]
On December 16, 2020, German IT news portal
Heise.de reported that SolarWinds had for some time been encouraging customers to disable
anti-malware tools before installing SolarWinds products.[77][78]
On December 17, 2020, SolarWinds said they would revoke the compromised certificates by December 21, 2020.[79]
On December 21, 2020,
Attorney General William Barr stated that he believed that the SolarWinds hack appears to have been perpetrated by Russia, contradicting speculations by
President Donald Trump that China, not Russia, might be to blame.[80]
In late December 2020,
Trustwave, a cybersecurity firm, reached out to SolarWinds to report new security flaws they had discovered in software produced by SolarWinds. Although these vulnerabilities hadn't been taken advantage of by hackers, it raised questions concerning the network security of SolarWinds' customers.[81]
The magnitude of the monetary damage has yet to be calculated, but on January 14, 2021,
CRN.com reported that the attack could cost cyber insurance firms at least $90 million.[82][83]
On March 1, 2021, SolarWinds CEO, Sudhakar Ramakrishna, blamed a company intern for using an insecure password ("solarwinds123") on their update server. Speculation that this led to the attack is discounted by the company and security professionals.[84][85] More than the intern using a weak password, experts noted that the main issue this fact highlights is the poor security culture the company has.[86]
In the aftermath of the incident there has been question raised within the US Government about the role Microsoft carried blame in enabling the breach. This relates to the "golden SAML" vulnerability in Microsoft's directory offerings that the company had knowledge of but did not address. Senator Ron Wyden questions why the US Government spent so much money on Microsoft software without the company warning it of this hacking technique.[87]
SUPERNOVA
On December 19, 2020, Microsoft said that its investigations into supply chain attacks at SolarWinds had found evidence of an attempted supply chain attack distinct from the attack in which SUNBURST malware was inserted into Orion binaries (see previous section).[88][89] This second attack has been dubbed SUPERNOVA.[88][89]
Security researchers from Palo Alto Networks said the SUPERNOVA malware was implemented stealthily.[90] SUPERNOVA comprises a very small number of changes to the Orion source code, implementing a web shell that acts as a
remote access tool.[90][91] The shell is assembled in-memory during SUPERNOVA execution, thus minimizing its forensic footprint.[90]
Unlike SUNBURST, SUPERNOVA does not possess a digital signature.[90] This is among the reasons why it is thought to have originated with a different group than the one responsible for SUNBURST.[90][92]
Insider trading claims
SolarWinds's share price fell 25% within days of the SUNBURST breach becoming public knowledge,[74] and 40% within a week.[93] Insiders at the company had sold approximately $280 million in stock shortly before this became publicly known,[94] which was months after the attack had started. A spokesperson said that those who sold the stock had not been aware of the breach at the time.[1][95][96]
Microsoft guidance on service provider and downstream business attacks
In November 2021 Microsoft issued an alert[97] in relation to the advanced persistent threat (APT) actor Nobelium (aka APT29; Cozy Bear) that was responsible for the 2020 SolarWinds supply chain attack is targeting cloud service providers (CSPs), managed service providers (MSPs), and other IT service providers. Microsoft Threat Intelligence Center (MSTIC) released a range of recommendations for service providers and downstream businesses to implement in order to address the threat.[citation needed]
Class action lawsuit
In January 2021, a class action lawsuit was filed against SolarWinds in relation to its security failures and subsequent fall in share price.[98][99] SolarWinds attempted to have this case dismissed; in March 2022, a judge ruled that the class action lawsuit could move forward.[100] SolarWinds settled the suit for $26 million in November 2022, and was notified by the SEC that it intended to take enforcement action.[101]
^Gallanger, Ryan, Donaldson, Kitty, et al. (15 December 2020). "U.K. Government, NATO Join U.S. in Monitoring Risk From Hack".
Bloomberg News websiteArchived December 15, 2020, at the
Wayback Machine Retrieved 15 December 2020.
^Field, Matthew. (16 December 2020). "SolarWinds shareholders sold $280m days before breach was revealed".
The Telegraph websiteArchived December 20, 2020, at the
Wayback Machine Retrieved 16 December 2020.