The mission of this group is to bring together utility professionals in the power industry who are in the thick of the digital utility transformation. 

WARNING: SIGN-IN

You need to be a member of Energy Central to access some features and content. Please or register to continue.

Post

An apology to JetBrains

This Monday, I put up a post entitled “What could have prevented the SolarWinds attacks?” It contained the following paragraph:

…the Russians could have penetrated a software development tool (presumably by planting malware in the tool developer’s network, which would have played the same role that SUNSPOT did with SolarWinds). Then, if SolarWinds used that tool, the Russians wouldn’t have to penetrate SolarWinds’ development network - they would have already been there! This might be the ultimate supply chain attack, for reasons described in this post. Of course, it was recently learned that the Russians did penetrate a very widely-used development tool called JetBrains. And one of JetBrains’ customers was in fact SolarWinds.

The post I linked described a New York Times article on JetBrains, that was entitled “Widely Used Software Company May Be Entry Point for Huge U.S. Hacking”. The second paragraph of the article read:

Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies. Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.

The article also stated:

By compromising TeamCity, or exploiting gaps in how customers use the tool, cybersecurity experts say the Russian hackers could have inconspicuously planted back doors in an untold number of JetBrains’ clients. 

and ended with this statement:

“It can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world.,” Mr. Alperovitch added. “This is a very big deal.”

You will notice that the Times article, while clearly expressing a lot of alarm about the possibility that JetBrains might have been compromised (because of its widespread use in software development, including by SolarWinds, and – frankly – because of its ties to Russia), avoided saying that this had actually happened. And the post I wrote about the article on January 6 walked that same fine line.

Unfortunately, the statement in my post on Monday went beyond what both the article and my previous post had said. It stated affirmatively that JetBrains had been compromised. Did I say this because I’d learned some important new information since the previous post? No, I said it because – truth be told – I sometimes think that, just because I wrote something, this means my memory of what I wrote should be perfect. In other words, I linked to my previous post without bothering to read it to make sure I knew what it said.

This morning, I received an email from Yury Molodtsov, a representative of JetBrains, pointing out – quite nicely, I will say – my error. He also provided a link to this statement from JetBrains, in response to the Times article. It stated “First and foremost, JetBrains has not taken part or been involved in this attack in any way”, and also “SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available.” The following day, JetBrains posted another statement pointing out that SolarWinds had said “The Company hasn’t seen any evidence linking the security incident to a compromise of the TeamCity product” (TeamCity is the JetBrains product that SolarWinds uses, as well as a huge number of other software developers).

So I owe a big apology to JetBrains. I just hope they’ll continue to produce such a great product, and they’ll continue to keep it as secure as they can.

As for myself, I’m going to be a lot more circumspect about quoting news articles, and I’ll make sure I’m not saying anything more than the article I’m quoting does.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

Tom Alrich's picture

Thank Tom for the Post!

Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.

Discussions

Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Bob Meinetz's picture
Bob Meinetz on Jan 23, 2021

Thanks, Tom. Your reputation for accurate and in-depth reporting on software security issues is only enhanced by your admission.

Tom Alrich's picture
Tom Alrich on Jan 25, 2021

Thanks for the thanks, Bob! I appreciate your comments. 

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »