Security software provider SolarWinds (SWI) - Get Report revealed Tuesday that it has found the source of a highly sophisticated malicious code injection that it believes was used by the perpetrators of the recent cyberattack on the company and its clients, including federal government agencies.
In a regulatory filing, SolarWinds said that it was able to reverse engineer the code, allowing it to learn more about the tool that was developed and deployed into the build environment. The company said it wasn't able to independently verify the identity of the perpetrators.
"Analysis suggests that by managing the intrusion through multiple servers based in the United States and mimicking legitimate network traffic, the attackers were able to circumvent threat detection techniques employed by both SolarWinds, other private companies and the federal government," the company said in the 8K filing submitted to the Securities and Exchange Commission.
"The SUNBURST malicious code itself appears to have been designed to provide the perpetrators a way to enter a customer's IT environment. If exploited, the perpetrators then had to avoid firewalls and other security controls within the customer's environment." KPMG and CrowdStrike have been able to locate the code injection source, the filing said.
Hackers believed to be linked to Russia’s foreign intelligence service between March and June of last year inserted malware into software updates for SolarWinds’ Orion IT infrastructure management software. This led to security breaches at the Treasury Department, the National Telecommunications and Information Administration, the Department of Homeland Security and a number of SolarWinds’ corporate clients.
Shares of SolarWinds were up 0.6% at $15.09 in trading on Tuesday. The stock has fallen 18% over the past 12 months.