SolarWinds Worldwide is neither a solar power nor a wind power company, and its mysterious ways don’t stop there. It isn’t nearly as well-known as Yeti or Bumble or Indeed or most of the other multibillion-dollar outfits that call Austin home. It has kept a relatively low profile since it relocated from Tulsa, Oklahoma, in 2006 seeking greater access to tech industry talent. It doesn’t sponsor festival stages at Austin City Limits or South by Southwest. You won’t find its name on billboards, and its southwest Austin office blends anonymously into the scenery.
Yet SolarWinds, an IT management company valued at more than $6 billion that earned $938.5 million in revenue last year, was thrust into national headlines on Sunday with the breaking of bombshell news about a major security breach. A vulnerability in update software from the company enabled Russian government hackers to infiltrate the systems of its federal government clients, which include the U.S. Treasury, the White House, the Pentagon, Los Alamos National Laboratory, and the departments of Commerce, Veterans Affairs, and Homeland Security. This vulnerability was reportedly present as early as March.
Malicious code inserted into SolarWinds software updates was distributed via a hijacked web domain that could have affected as many as 18,000 of its customers, SolarWinds said in an SEC filing about the hackings. Since the news broke, SolarWinds has apparently been trying to obscure its long list of clients on its website, a list that it says also includes 425 companies in the Fortune 500. In the SEC filing, SolarWinds says its Orion product that introduced the vulnerability into its clients’ systems accounts for about 45 percent of its revenue, about $343 million through the first nine months of 2020.
In addition to Orion, SolarWinds sells a huge suite of products used in IT departments of 300,000 clients to do everything from monitor the speed of data networks, manage servers, and secure employee credentials. Orion allows organizations to install and monitor various SolarWinds products, among other tasks. SolarWinds CEO Kevin Thompson said in a statement to Reuters Sunday that the hack was “a highly-sophisticated, targeted, and manual supply chain attack by a nation state.” The Orion weakness provided hackers a backdoor to government and corporate networks.
Such attacks are incredibly difficult to pull off, said Ram Benavides, a fourteen-year IT security industry veteran who leads the Cyber Threat Hunt Team for NouSystems Inc., a defense contractor protecting the U.S. Missile Defense Agency. “It’s a genius way to do things,” he said, referring to the way in which the hackers found a sort of skeleton key via SolarWinds to access government agencies and other networks instead of hacking those networks directly. While so-called supply-chain attacks like this have occurred in the past, he said, they are not common because of the sophisticated coordination required. “Nation-states have the time and the resources.”
SolarWinds software, Benavides said, often is used hand in hand with Cisco Systems hardware and network infrastructure to provide powerful IT management tools. But as a result of this attack, his team will vet subcontractors and clients to determine whether they use these products. “From this point on, it’s something we’ll ask and check: whether they’ve used SolarWinds and what they’ve done to remediate,” he said.
Several former employees of SolarWinds, who asked not to be named in this story, said that the company has focused for years on acquiring government contracts. The fallout from the hackings is obviously as serious a public-relations nightmare as could happen to a company in its field. “With government work, even more so than private companies, there’s a huge need to make sure their applications and their networks are secure,” one former SolarWinds marketing employee said.
When the company, whose name was coined by one of its early employees, was founded in 1999, none of its software focused on security. Two of its early products, Ping Sweep and Trace Route, tracked internet speeds and performance. As the company says in its own history, “While everyone was distracted by the impending doom of Y2K, SolarWinds was getting started on our mission to make IT look easy by offering affordable, purpose-built software tools.”
The past five years at SolarWinds, which has more than three thousand employees globally, has involved hundreds of millions of dollars’ worth of acquisitions, including Librato, Capzure Technology, LogicNow, SpamExperts, Loggly, and SentryOne. Those purchases helped the company expand its offerings in areas like analytics and email monitoring while beefing up its core businesses of network monitoring and IT management. The acquisition of just one company, Samanage, cost $350 million.
Several security-industry professionals have stepped forward since the hacking became public with claims that SolarWinds was made aware of vulnerabilities in its systems more than a year ago that were not fixed. The company’s success in making its Orion platform seemingly ubiquitous in government and corporate systems is now being seen as a liability to the entire IT world.
Former employees characterized “SWI,” as they refer to it, as not a particularly easy place to work. It’s a high-pressure work environment plagued with office politics and “clashing personalities of people brought in as ‘change agents,’” one former manager said. “SWI is the type of place that chews up its employees and spits them out. I do credit the experience for helping propel my career, but it wasn’t a place I could stay very long.”
In 2016, the company went private after being acquired for $4.5 billion by private equity firms Silver Lake Partners and Thoma Bravo. In 2018, SolarWinds hit the stock market again with an IPO that valued the company at $4.57 billion. Major changes were afoot before the hacking news, some of them now under scrutiny by the Securities and Exchange Commission. Silver Lake and Thoma Bravo sold about $286 million worth of shares in the company shortly before the breach was disclosed. Thompson announced his resignation two days later. SolarWinds had recently named Pulse Secure CEO Sudhakar Ramakrishna as Thompson’s successor and had been working to spin off its SolarWinds MSP remote management business into its own company. A source at the company told Texas Monthly those plans remain unchanged.
SolarWinds, alongside other Austin software, semiconductor, hardware, and internet startups, and research and development happening at the University of Texas, has been part of a recent groundswell of government and defense-related business happening in Central Texas. In 2018, the Army Futures Command launched in Austin as a way to promote cross-pollination with the booming local start-up industry. It is expected to grow to 26,000 employees. This year, defense contractor BAE announced a $150 million campus in Austin with plans to house 1,400 employees there.
Amber Gunst, CEO of the Austin Technology Council, said that many private companies in the area keep the extent of their work for the Department of Defense and other government agencies quiet. Companies with a large Texas presence such as Accenture and Stratfor have had long rosters of government clients for decades. But the area’s talent pool and its location have contributed to lots of new government contracting. “We are so conveniently located between San Antonio and the Temple–Fort Hood area, where so many former military personnel have served and want to remain in this area when they retire,” Gunst said. “It really does make us the perfect area for these companies to come together and keep our country secure.”
SolarWinds currently has twenty available jobs listed in Texas, including one particularly relevant to its current crisis: VP Security Architecture.