On Monday, I put up a post entitled “What could have prevented the SolarWinds attacks?” It contained the following paragraph:
…the Russians could have penetrated
a software development tool (presumably by planting malware in the tool
developer’s network, which would have played the same role that SUNSPOT did
with SolarWinds). Then, if SolarWinds used that tool, the Russians wouldn’t
have to penetrate SolarWinds’ development network - they would have already
been there! This might be the ultimate supply chain attack, for reasons
described in this post.
Of course, it was recently learned that the Russians did penetrate a very
widely-used development tool called JetBrains. And one of JetBrains’ customers
was in fact SolarWinds.
The post I linked described a New
York Times article
on JetBrains, that was entitled “Widely Used Software Company May Be Entry
Point for Huge U.S. Hacking”. The second paragraph of the article read:
Officials are investigating whether
the company, founded by three Russian engineers in the Czech Republic with
research labs in Russia, was breached and used as a pathway for hackers to
insert back doors into the software of an untold number of technology
companies. Security experts warn that the monthslong intrusion could be the
biggest breach of United States networks in history.
The article also stated:
By compromising TeamCity, or
exploiting gaps in how customers use the tool, cybersecurity experts say the
Russian hackers could have inconspicuously planted back doors in an untold
number of JetBrains’ clients.
and ended
with this statement:
“It can allow an adversary to have
thousands of SolarWinds-style back doors in all sorts of products in use by
victims all over the world.,” Mr. Alperovitch added. “This is a very big deal.”
You will notice that the Times
article, while clearly expressing a lot of alarm about the possibility that
JetBrains might have been compromised (because of its widespread use in
software development, including by SolarWinds, and – frankly – because of its
ties to Russia), avoided saying that this had actually happened. And the post I
wrote about the article on January 6 walked that same fine line.
Unfortunately, the statement in my
post on Monday went beyond what both the article and my previous post had said.
It stated affirmatively that JetBrains had been compromised. Did I say this
because I’d learned some important new information since the previous post? No,
I said it because – truth be told – I sometimes think that, just because I wrote
something, this means my memory of what I wrote should be perfect. In other
words, I linked to my previous post without bothering to read it to make sure I
knew what it said.
This morning, I received an email
from Yury
Molodtsov, a representative of JetBrains, pointing out – quite nicely, I
will say – my error. He also provided a link to this
statement from JetBrains, in response to the Times article. It stated “First
and foremost, JetBrains has not taken part or been involved in this attack in
any way”, and also “SolarWinds has not contacted us with any details regarding
the breach and the only information we have is what has been made publicly
available.” The following day, JetBrains posted another statement pointing out
that SolarWinds had said “The Company hasn’t seen any evidence linking the
security incident to a compromise of the TeamCity product” (TeamCity is the
JetBrains product that SolarWinds uses, as well as a huge number of other
software developers).
So I owe a
big apology to JetBrains. I just hope they’ll continue to produce such a great
product, and they’ll continue to keep it as secure as they can.
As for
myself, I’m going to be a lot more circumspect about quoting news articles, and
I’ll make sure I’m not saying anything more than the article I’m quoting does.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment