An apology to JetBrains

On Monday, I put up a post entitled “What could have prevented the SolarWinds attacks?” It contained the following paragraph:

…the Russians could have penetrated a software development tool (presumably by planting malware in the tool developer’s network, which would have played the same role that SUNSPOT did with SolarWinds). Then, if SolarWinds used that tool, the Russians wouldn’t have to penetrate SolarWinds’ development network - they would have already been there! This might be the ultimate supply chain attack, for reasons described in this post. Of course, it was recently learned that the Russians did penetrate a very widely-used development tool called JetBrains. And one of JetBrains’ customers was in fact SolarWinds.

The post I linked described a New York Times article on JetBrains, that was entitled “Widely Used Software Company May Be Entry Point for Huge U.S. Hacking”. The second paragraph of the article read:

Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies. Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.

The article also stated:

By compromising TeamCity, or exploiting gaps in how customers use the tool, cybersecurity experts say the Russian hackers could have inconspicuously planted back doors in an untold number of JetBrains’ clients. 

and ended with this statement:

“It can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world.,” Mr. Alperovitch added. “This is a very big deal.”

You will notice that the Times article, while clearly expressing a lot of alarm about the possibility that JetBrains might have been compromised (because of its widespread use in software development, including by SolarWinds, and – frankly – because of its ties to Russia), avoided saying that this had actually happened. And the post I wrote about the article on January 6 walked that same fine line.

Unfortunately, the statement in my post on Monday went beyond what both the article and my previous post had said. It stated affirmatively that JetBrains had been compromised. Did I say this because I’d learned some important new information since the previous post? No, I said it because – truth be told – I sometimes think that, just because I wrote something, this means my memory of what I wrote should be perfect. In other words, I linked to my previous post without bothering to read it to make sure I knew what it said.

This morning, I received an email from Yury Molodtsov, a representative of JetBrains, pointing out – quite nicely, I will say – my error. He also provided a link to this statement from JetBrains, in response to the Times article. It stated “First and foremost, JetBrains has not taken part or been involved in this attack in any way”, and also “SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available.” The following day, JetBrains posted another statement pointing out that SolarWinds had said “The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product” (TeamCity is the JetBrains product that SolarWinds uses, as well as a huge number of other software developers).

So I owe a big apology to JetBrains. I just hope they’ll continue to produce such a great product, and they’ll continue to keep it as secure as they can.

As for myself, I’m going to be a lot more circumspect about quoting news articles, and I’ll make sure I’m not saying anything more than the article I’m quoting does.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.