There’s a reason we call them “Advanced Persistent Threats (APTs).” A MAJORITY of compromises occur over the course of months. Hacks are not in-and-out operations like what you see in movies. Beachheads have to be established, reconnaissance done, lateral movement to traverse the network in search of administrative credentials, privilege escalation, takeover of domain identity infrastructure, data gathering and exfiltration. All of this takes effort. 9 months is FAST by most accounts.
“9 months is FAST by most accounts.”
Not considering the breadth and depth of the compromise.
And not with the knowledge the Solarwinds company and products we notorious scofflaws when it comes to even the most rudimentary security protections.
And how about all those firewall administrators, and associated Security Review and Approval teams that authorized “Solarwinds” to update their platform with the unsecured password “solarwinds123”.
CISA is guilty of criminal negligence. So too anyone who approved the laughable unsecured system password.