\n<\/p>\n
Tim Brown will remember 12 December 2020 for ever.<\/p>\n
It was the day the software company SolarWinds was notified it had been hacked by Russia.<\/p>\n
Brown, the chief information security officer at SolarWinds, immediately understood the implications: any of the company\u2019s more than 300,000 global clients could be affected too.<\/p>\n
The exploit allowed the hackers remote access to the systems of customers that had installed SolarWinds\u2019 network software Orion, including the US treasury department, the US department of commerce\u2019s National Telecommunications and Information Administration, along with thousands of companies and public institutions.<\/p>\n
Brown says he was \u201crunning on adrenaline\u201d in the first few days after the attack.<\/p>\n
It was during the early stages of the Covid pandemic when full-time work-from-home was the norm, but the company\u2019s email was compromised and couldn\u2019t be used to communicate with staff.<\/p>\n
\u201cWe gave up on the phones and just everybody came into the office and we got Covid testing,\u201d Brown says. \u201cI lost 25 pounds in about 20 days \u2026 just going, going, going.\u201d<\/p>\n
He appeared on CNN and 60 Minutes, and in every major newspaper.<\/p>\n
\u201cThe world\u2019s on fire. You\u2019re trying to get information out and trying to have people understand what\u2019s safe and what\u2019s not safe.\u201d<\/p>\n
The company switched to Proton email and Signal while its email was compromised, Brown says. He was taking calls from companies and government agencies across the globe, including the US army and the Covid vaccine program Operation Warp Speed.<\/p>\n
\u201cYou get the world wanting verbal communication not written communication. And that is a kind of an important lesson: you can write things down, but they want to talk to the [chief information security officer],\u201d says Brown, who spoke at Melbourne\u2019s CyberCon on Friday.<\/p>\n
\u201cThey want to be able to hear colour around the outside of it, so very important to be prepared for that kind of response.\u201d<\/p>\n
The notification about the hack came in a phone call from Kevin Mandia, the founder of the cybersecurity firm Mandiant, to SolarWinds\u2019 then CEO Kevin Thompson.<\/p>\n
Mandia told Thompson that SolarWinds had \u201cshipped tainted code\u201d to its Orion software, which helps organisations monitor outages on their computer networks and servers.<\/p>\n
The exploit in Orion was being used to attack government agencies, Mandia told Thompson.<\/p>\n
\u201cWe could see in that code [it] was not ours, so when we got that, it was \u2018all right, this is real\u2019,\u201d Brown recalls.<\/p>\n
<\/span>Brown says SolarWinds was not the key target of the hack but \u2018a route to the target\u2019.<\/span> Photograph: Sean Davey\/The Guardian<\/p>\n The Texas-based SolarWinds determined that 18,000 people had downloaded the tainted product, which the hackers, later attributed to the Russian Foreign Intelligence Service, were able to insert into Orion in the build environment where source code is turned into software.<\/p>\n The news broke on the Sunday. SolarWinds notified the stock market before it opened on Monday.<\/p>\n The original estimate that up to 18,000 clients could be affected was later revised down to about 100 government agencies and companies that actually were.<\/p>\n \u201cIt would have been nice to know that on day one, but that was the truth of the matter, right?\u201d Brown says. \u201cWe weren\u2019t really the target. We were just a route to the target.\u201d<\/p>\n SolarWinds called in CrowdStrike, KPMG and the law firm DLA Piper to deal with the response and investigation.<\/p>\n SolarWinds stopped work on new features for the next six months and its team of 400 engineers focused on systems and security to get the company back on its feet.<\/p>\n \u201cWe really took transparency to heart \u2013 how can we make sure people realise [what] threat actor models [are out there], what they do, how they do reconnaissance, how they then do an attack [and] how they then leave.\u201d<\/p>\n Brown says the company\u2019s customer renewal rate fell into the 80% range in the first few months after the incident, but has since returned to more than 98%.<\/p>\n But then came the legal implications.<\/p>\n The Biden administration imposed sanctions and expelled Russian diplomats in 2021, partly in response to the attack.<\/p>\n SolarWinds settled a class action lawsuit over the attack in 2022 for US$26m. The Securities and Exchange Commission (SEC) then filed a lawsuit against SolarWinds and Brown personally in October 2023, accusing the company and Brown of misleading investors over its claims about cybersecurity protections, and failing to disclose known vulnerabilities.<\/p>\n <\/span>Brown has remained at SolarWinds since the cyber-attack.<\/span> Photograph: Sean Davey\/The Guardian<\/p>\n Brown was in Zurich when he found out he was being charged.<\/p>\n \u201cWhen I walked up a hill, I would lose my breath. My arms would get heavy, my chest would get tight. I was just not getting enough oxygen,\u201d he says. \u201cI did a silly thing. I flew home \u2026 I couldn\u2019t walk from the terminal to my car without stopping. That\u2019s a walk I had done thousand of times.\u201d<\/p>\n He was having a heart attack. When he got home, his wife took him to the hospital, where he underwent surgery. He has since recovered.<\/p>\n \u201cStress keeps building up and I thought I was managing it well and I didn\u2019t proactively go to a doctor,\u201d he says.<\/p>\n Brown says he now advocates for companies going through similar incidents to employ psychiatrists to help staff process the stress.<\/p>\n \u201cThe stress level was pumped up, and then it just went over the edge, but stress was building up all the time.\u201d<\/p>\n A confidential jointly proposed settlement with the SEC was announced in July, but has yet to be approved. The US government shutdown has delayed the finalisation of the agreement.<\/p>\n Brown has remained with SolarWinds throughout the process.<\/p>\n \u201cIt happened on my watch, that\u2019s how I look at it. There are reasons why it occurred, nation state attack, et cetera, but still it happened on my watch,\u201d he says.<\/p>\n \u201cI guess I\u2019m stubborn. But it was just very important for us to get through this whole cycle, so leaving wasn\u2019t an option until it was done.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":" Tim Brown will remember 12 December 2020 for ever. It was the day the software company SolarWinds was notified it had been hacked by Russia. Brown, the chief information security officer at SolarWinds, immediately understood the implications: any of the company\u2019s more than 300,000 global clients could be affected too. The exploit allowed the hackers<\/p>\n","protected":false},"author":1,"featured_media":28995,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52],"tags":[3641,1151,546,11968,1123,96,10067],"class_list":{"0":"post-28994","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technology","8":"tag-cyberattack","9":"tag-cybercrime","10":"tag-days","11":"tag-frontline","12":"tag-global","13":"tag-lost","14":"tag-pounds"},"_links":{"self":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/28994","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=28994"}],"version-history":[{"count":0,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/posts\/28994\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=\/wp\/v2\/media\/28995"}],"wp:attachment":[{"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=28994"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=28994"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naijaglobalnews.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=28994"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Aftermath: the heart attack<\/h2>\n