SolarWinds CEO reveals much earlier hack timeline, regrets company blaming intern

The new SolarWinds timeline places the earliest activity at around eight months earlier than previously disclosed.
SolarWinds CEO Sudhakar Ramakrishna attends a Senate Intelligence Committee hearing on Capitol Hill on February 23, 2021 in Washington, DC. The hearing focused on the 2020 cyberattack that resulted in a series of major data breaches within several U.S. corporations and agencies and departments in the U.S. federal government. (Photo by Demetrius Freeman-Pool/Getty Images)

SolarWinds saw signs of hackers invading their networks as early as January of 2019, about eight months earlier than the previously publicly disclosed timeline for the sweeping cyber-espionage campaign, and nearly two years before anyone discovered the breach.

SolarWinds CEO Sudhakar Ramakrishna said in an appearance at the 2021 RSA Conference that while the federal contractor had once estimated the hackers’ first suspicious activity at around September or October of 2019, the company has “recently” learned that the attackers may have in fact “been in our environment” much earlier.

“As we look back, they were doing very early [reconnaissance] activities in January of 2019,” he said.

Ramakrishna’s revelation provides a deeper understanding yet of the stealthy nature of what U.S. government officials and cybersecurity firms have labeled an incredibly sophisticated attack, even by the standards of the alleged Russian government-connected hackers behind the effort. By leveraging seemingly trustworthy updates of SolarWinds Orion software, the culprits were able to breach nine government agencies and many more private sector companies.


“We were looking for all the usual clues — when you go through an investigation, you have a checklist, you have a set of hypotheses, you try to map things,” Ramakrishna  said. “And in this particular case, given the amount of time they spent, and given the deliberateness that they had in their efforts, they were able to cover their fingerprints, cover their tracks at every step of the way, given the resources of a nation state.”

It wasn’t until December of 2020 that cybersecurity firm FireEye found evidence of it in their own networks. In May of 2021, details of the attack are still trickling out.

Also Wednesday, Ramakrishna offered a mea culpa for congressional testimony in February, where he and the former SolarWinds CEO blamed an intern for a password security lapse.

“I have long held a belief system and an attitude that you never flog failures,” he said. “You want your employees, including interns, to make mistakes and learn from those mistakes, and together we become better. So obviously you don’t want to make the same mistake over and over again, you want to improve.

“What happened at the congressional hearings where we attributed it to an intern was not appropriate, and was not what we are about or is not what we are about,” he said. “We have learned from that and I want to reset it here by saying that we are a very safe environment, and we want to attract and retain the best talent.”

Latest Podcasts