“This release includes bug fixes, increased stability, and performance improvements.”
We’ve all seen this before. It’s pretty boilerplate stuff for most software or updates. More often than not you simply allow it without even batting an eye or giving it a second thought, assuming that updates are a good thing, right? Well, usually, yes.
Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.
The routine update, it turns out, is no longer so routine.
Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.
It was something called a supply chain hack, which seems to be becoming more common. In fact, just today, there is news of another, similar hack. Our vulnerability to this kind of hack tells us something not just about software and cybersecurity, but about the way business works today — and about how it might need to change.
Learn more about the SolarWinds attack in this excellent episode of Planet Money from NPR embedded below.
We’ve had clients deal with hacks and data breaches before. It’s never fun but a bit of prevention can go a long way. Reach out – we’re ready to help.