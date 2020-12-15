I am going to keep an eye on it and maybe take a small taste soon.

But should the damage be limited, their customers may look at their choices and stick with SolarWinds.

We only know of 3 victims right now — the Departments of Commerce and Treasury, and FireEye. Should that list grow, SolarWinds’ liability is open-ended.

They have a giant customer list, all corporations and government agencies with massive, complex systems filled with important data. The hackers had access to any of this they wanted.

From what little we know, the SolarWinds hack has the potential to be the most consequential hack of all time.

Every one of these organizations is at risk, and has been since March. SolarWinds website screenshot. Moments after I took that screenshot on Monday morning, the company took it down and the page is 404

The SolarWinds Hack

You may not have heard of SolarWinds (SWI) before. It is the fifth most undercovered stock here at Seeking Alpha. But you have certainly heard of their customers, a partial list of whom you see listed above. Right now, we know very little, but in the end, this may turn out to be the largest hack of all time.

SolarWinds provides IT management software to a large variety of customers in both the public and private sectors. They have over 50 products for specific IT tasks, but they are unified under a single interface SolarWinds calls the Orion Platform. "One vendor. One platform. One single pane of glass,” is the marketing.

SolarWinds website.

So IT managers have all those tools in a single interface. This is also why it makes such an attractive target for hackers. If they can get in undetected, as they have since March, they have access to all that, all of which is pretty interesting to a hacker, depending on what they are there for. Even more embarrassing for the company, it went on undetected for 9 months, and they had to be informed by a national security agency.

The most important to hackers are those last two at the bottom of that screenshot. Orion gives the hackers access to databases and software updates which allows them access to all the company’s data, and allows them to put malicious software wherever they would like, undetected.

From SolarWind’s press release:

SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.

Let’s parse that a bit:

“has just been made aware”: They found out from a government agency, most likely the FBI or Department of Homeland Security. DHS has issued a strongly worded directive to all agencies to update their software with SolarWind’s hotfix.

“highly sophisticated” and “likely conducted by an outside nation state”: Russian intelligence.

“narrow, extremely targeted, and manually executed attack”: This was directed not at all SolarWinds customers, but rather very specific ones. So far we know of the Departments of Treasury and Commerce, and network security firm FireEye (FEYE).

Just on the little information we have, this looks me to be about Russian sanctions, which are administered by those two Departments.

Microsoft (MSFT) has a lot more technical detail on the hack if you are interested, but the short of it:

It is unclear how, but the attacker injected code into a legitimate Orion library.

The library got distributed and signed by SolarWinds.

The code loaded before the legitimate code in the library, so it went undetected, since it was all signed by SolarWinds.

The code allowed the attacker to manually remotely escalate a user privilege to the highest level with unfettered access.

But this is still very early, and there may be others added to that list of companies whose data were exfiltrated. This is a stock market site, so forgetting about the giant national security disaster this has the potential to be, scroll back up to the that customer list and ask yourself what interest Russian intelligence might have in each company. Some quick thoughts:

There are a lot of communications companies in there like AT&T (T), Sprint (TMUS) and Charter (CHTR) who have customers whose records may be of interest to Russian intelligence.

Similarly, tax returns of certain Americans who use H&R Block (HRB) may be of interest.

Financial records from Visa (V) and MasterCard (MA).

Defense contractor information from Lockheed-Martin (LMT).

Trade secrets from the industrials like Dow (DOW).

We already know that Microsoft Azure was compromised from their above-linked blog post, so who knows how far that extends.

Financials audits from the accounting firms.

Just about the only thing not of interest is the secret recipe to McRibs. Right this second, there is a huge unknown liability out there for 30,000 SolarWinds customers.

FireEye

FireEye is the one such private customer we know of so far. As you see, it gapped down on the news:

Data by YCharts

While off the lows, they took a big hit, and for good reason. From what we know, the hackers stole FireEye’s “Red Team” tools. The Red Team role-plays malicious actors, testing client systems for weaknesses using a variety of both common and uncommon hacker tools. These were stolen, and FireEye was forced to put up fixes for the exploits on GitHub. This is an important bit of proprietary IP, something they charge a lot of money for, and now the whole world has it.

So run down that list again. What would happen to AT&T if specific clients had all the cell phone records stolen? What about all the credit card data Visa and MasterCard? What liability could the industrials have for stolen trade secrets?

If this turns out to be more than FireEye, it could be a nightmare for a subset of corporations who hold key data.

The Upshot for SolarWinds

If we sustain system failures, cyberattacks against our systems or against our products, or other data security incidents or breaches, we could suffer a loss of revenue and increased costs, exposure to significant liability, reputational harm and other serious negative consequences. -SolarWinds annual report.

Monday morning, the market was displeased by the news:

Data by YCharts

But this is an interesting case, because SolarWinds is a bit unique in the ecosystem. Almost everything they provide is replaceable by other software, a lot of it open source and free. Probably some of that open source code undergirds their tools. Their value-added has always been:

The “single pane of glass.” All your tools from them, plus management consoles for much your other IT software in a single, modern user experience.

Customer service and support.

Not getting your system hacked by foreign intelligence services.

So, they have failed, and failed badly on that last one. It remains to be seen what the full extent of the damage is, and they have undoubtedly lost customer trust. Those customers’ IT departments have been discussing since Sunday night what to do about this.

And those IT departments have a problem. As mad as they probably are, the customers who use the full Orion suite have to look at what the alternative is, and find the prospect lacking. They would have to cobble together a suite on their own from multiple vendors, and supplement that with open source software to fill the gaps. It would take a while to build, cost a lot of money, and would not have the unified user experience that Orion offers.

This is why they have so many customers with very large IT departments. If you have huge, complex systems to manage, it’s still probably the best choice, even in light of this. If the damage is contained to what we already know, and there is no guarantee of that, they look awfully cheap right now to me, trading at $19.55 as I type this.

But the damage may be much broader, and the “reputational harm,” and “significant liability” risk factors they warn of in their annual report will come into play, and that could even be a death spiral.

I’m going to keep an eye on it, but I may take a small taste soon if it hangs around under $20. For now, I’m slapping it with a neutral rating, because there’s too many unknowns right now. Stay tuned.

Disclosure: I/we have no positions in any stocks mentioned, and no plans to initiate any positions within the next 72 hours. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.