Jake Williams, a former NSA hacker and member of the agency's now disbanded Tailored Access Operations group, told iTWire in response to queries that SolarWinds had said it was working with an outside firm to find out the details of the attack.
The attack came to light this month soon after cyber security firm FireEye announced on 9 December AEDT that it had been compromised and had its Red Team tools stolen.
Five days later, FireEye issued details about attacks using malware which it called SUNBURST, which it said had been used to hit both private and public entities, by corrupting the Orion network management software, a product of SolarWinds.
A number of US Government departments — Homeland Security and Treasury among them — have been named as being affected. FireEye, too, appears to have been a victim. The Orion software has very wide usage in the US and also in Britain.
A Yahoo! News report on Saturday claimed the attackers had been inside SolarWinds' system since at least mid-2019.
Williams, who now runs his own security outfit, Rendition Infosec, said there had been no discussion about security at SolarWinds, "probably because we're too busy responding to the aftermath to worry about reviewing SolarWinds' security: a 25-metre target vs something much further down the road".
Asked about the widespread use of Orion and whether there were no products as good as it in the market, he said, while there were other products that measured up today, "SolarWinds Orion was the first that was truly as good as it is. It's nearly idiot-proof compared to its competitors at the time it achieved mass market share".
As to whether Orion had gained its widespread use because of connections, Williams responded: "Once you secure first mover advantage, there's definitely inertia. CIO and CISO were barely positions when Orion became popular.
"Many of the people holding those positions today actually used Orion in their day, so it's an easy sell."
Williams cautioned people about the fact that were likely to be other software supply chain compromises going on right now, while the discussion about SolarWinds was taking place.
"I'll bet that they're not as large in scope as Orion, but this isn't even the first targeting IT management software," he said.
"Take a look at the ShadowPad attacks from a few years ago. This works, and attackers will come back to what works."
ShadowPad is a backdoor that was found in software created by a company called NetSarang and discovered by Russian security firm Kaspersky. The backdoor was embedded in one code library, nssock.dll.
In the case of Orion, the compromised component was named as SolarWinds.Orion.Core.BusinessLayer.dll, a digitally signed part of the software. This contained a backdoor that communicated with third-party servers using HTTP.
