The CISO Signal: True Cybercrime Podcast | Transcript: S1E2 | The SolarWinds Hack: How 18,000 Orgs Were Compromised

S1E2 | The SolarWinds Hack: How 18,000 Orgs Were Compromised | w/ Alberto Deto Hassan

August 2, 2025 / 38:24/E2

In the time of attack.

Every second is important,

and you have to decide things

without all the information

and to have the ability

to lead the situation

while there is an enemy on the other side

against you.

So it's a kind of mind war.

You have to win.

Welcome to The CISO Signal, a true cyber

crime podcast. I'm Jeremy Ladner.

On this episode,

we step inside the breach

that shattered

illusions of security

at the highest levels.

A routine software

update to 18,000

organizations became a Trojan horse

for a nation state

campaign that infiltrated

the US Treasury,

the Department of Justice,

Microsoft and dozens more.

The cost

billions of dollars

of clean up, years of investigation,

and the hard won wisdom that solutions

we trust to protect us

could be turned against us.

This is the story of SolarWinds.

And joining us for the investigation

is a cybersecurity

titan

with decades of experience

at the highest levels.

Alberto ‘Deto’ Hassan is VP and CISO

at ICL Group

and formerly headed Israel's

National CERT.

He brings deep experience across IT,

OT, and critical infrastructure security.

Alberto, welcome to The CISO signal.

Can you tell us a bit

more about your background?

Okay. I'm married to Ruth.

She is my wife.

That's the most important.

I have three kids.

I came from the ISA, Israeli Security Agency,

and then after the Israeli

Security Agency,

I created

and opened the national CERT

and afterwards

I came back as a CISO to ICL.

So in the last six years, I'm V.P.

of Cyber Security defense in ICL.

Alberto, it's great to have you with us.

Now let's begin the investigation.

We are in the midst of a ceaseless war,

not of bombs or bullets, but of breaches,

firewalls and silent incursions.

The targets,

our borders, our banks, our commerce

and the critical infrastructure

that underpins a free civilization.

The enemy is cloaked in code,

fueled by greed, glory,

and a desire for chaos.

This is the story of the unseen

protectors, the nameless generals,

the CISOs,

chief information security officers.

They are the guardians at the gate.

Watchers on the wall.

Ever vigilant and always listening

for The CISO Signal.

How we perceive the passage of time

is a strange thing.

Seconds can stretch on endlessly,

each moment dragging like an eternity.

And yet years

can seemingly pass

in the blink of an eye.

Looking back,

they feel like

echoes from a parallel world,

a lifetime that almost doesn't

feel like our own.

The early spring of 2020

feels recent enough to touch and yet

impossibly far away.

Back then,

the world had come to a standstill.

Covid 19 had forced

much of the world to work from home.

Office towers stood hollow.

Rush hours evaporated, and dining

tables were hurriedly converted

into makeshift workstations.

We were all grappling with a new reality.

Working remotely, living cautiously

for the first time in generations,

the global community began

to contemplate

the fragility of the systems

that hold us together.

A supply chain built on people.

People who could get sick.

What if the virus keeps spreading?

If the people who pick the food,

transport the fuel,

keep the lights on, can't come to work?

What if the police just don't show up?

If the water doesn't flow, if

the grid goes dark.

It was a moment of

collective vulnerability.

And while most of us were worrying

about a biological virus

slipping past our defenses,

few noticed something else creeping

silently through

another kind of supply chain.

A virus of a different nature

crafted by human hands.

Intelligent.

Patient. Precise.

It didn't spread through the air.

You traveled through trust.

During that same spring of 2020,

the enemy got in.

It breached major government agencies,

compromised fortune 500 corporations,

and it did so using a weapon.

No one saw coming.

No. Not Covid.

Something arguably far worse.

That sound you hear approaching

is the blazing heat

of this episode's breach.

This is SolarWinds

and The CISO signal.

So you mentioned your wife

and kids earlier,

and obviously

family is very important to you.

What's the one thing about a career

in cybersecurity that you wish

you knew

way back when you started years ago?

Most of the attacks

arrive on the weekend.

Never mind where you are.

This is the statistics,

and on the weekend you have to be more

alert, more close to the computer,

more close to the system.

And you have to understand

that this is part of your job.

If you are not prepared for it,

don't do it.

But if you are a CISO or like CISO,

you have to be prepared

to work on weekends.

So you've been at the helm of these large

security organizations

now for many years.

Tell us a bit about the weight

of that responsibility on your shoulders.

What's that like?

I can say that every event

I understand the responsibility on my shoulders,

and I understand that

I am part of the Western world

that would like to protect the industry,

that would like to keep the industry,

the Western industry,

to be working

and not to stop

because of attacks

that mainly organized crime

that want us to be stopped

or to pay a lot of money.

So when we discuss

a breach of this scale,

and this scope,

we often focus on the size

of the ransom paid

or the cost of damages

or the sensitive data stolen.

What is the one element

you think we overlook

that we should be talking about?

First of all, the planning.

Somebody planned it very well.

Somebody made the preparation.

The impact is huge.

The impact is worldwide.

So you have to give respect to

who have done it.

Respect, professional respect.

And then to

realize to analyze it

with a cold mind -

What is the situation?

what we should do more

first, what we should do

in the medium time,

and what we should do in that

in more time.

But you have to make decision

making process in a very fast way.

Otherwise you are doomed.

Okay, so that's sort of an interesting

juxtaposition there

that you mentioned

between the slow and careful

planning of the enemy

and then the incredibly fast

reaction time that a CISO needs

when you're faced

with a breach like this.

How do you handle that?

I will say that every event is special,

with its own facts.

You have to be ready to react

and to react fast and to think fast

because you don't have time.

We love making this podcast

and we really hope

that shows in the care

and quality that we invest in it.

And we would really appreciate it

if you could take a moment to like

and share it with your fellow

security professionals

as well as dropping us a comment,

letting us know

what stories and guests

you'd like to have on the podcast

in future episodes.

Now back to the story.

September 2019.

Before the world locked down,

before the phrase supply

chain attack

sent shivers

through boardrooms and war rooms alike.

Something began quietly, deliberately,

far from the fluorescent

glow of the corporate world.

The cybersecurity landscape in late 2019

was, by all

appearances, business as usual.

Security teams hunted, malware

patched vulnerabilities

and deployed

firewalls, and slept

well under the illusion

that the systems

they depended on

were hardened, secure, and trustworthy.

But trust in this story is the first lie,

because somewhere

halfway around the world,

a patient adversary was already watching,

studying, and waiting.

The group would later

be known by many names UNC2452

DarkHalo, APT29.

The US government would eventually trace

the operation back

to Russia's

foreign intelligence service, the SVR.

These weren't

spray and pray hackers

looking to make a quick buck.

They were architects of espionage,

disciplined, methodical and state backed.

And in the fall of 2019,

they picked their target,

a little known I.T.

company called SolarWinds.

Not because of what SolarWinds did,

but because of who they served.

Government agencies,

fortune 500 corporations

and critical infrastructure providers.

The perfect Trojan horse.

This wasn’t just a heist.

It was infiltration with intent.

A long con. They began with reconnaissance,

probing SolarWinds digital perimeter,

mapping their internal infrastructure

and identifying the cracks

in the foundation.

No malware, no alerts,

just eyes in the dark

because the plan wasn't

to breach and escape.

The plan was to become invisible,

to live inside the trusted systems

that others relied on for protection.

And so,

in the shadows of September 2019,

the groundwork was laid.

Digital casing of the joint.

The beginning

of one of the most devastating

supply chain attacks in history.

And no one saw it coming.

All right.

So there's that terrifying

moment of realization when it is clear

you've been breached.

What is the first thing you do

before you

assemble the team, before you alert

the necessary stakeholders?

Right after that

first moment of realization

and confirmation,

what does Alberto ‘Deto’

Hassan do? To pray -

It's important!

If you pray twice, it's even better.

But after praying.

Do you have to take consideration?

Check on the

small things.

When you get an

update from any company,

never mind Microsoft or whatever.

Check it on small environment.

Closed environment.

Give it 24 hours to see

what the outcome of the update is

and if it's okay,

then continue to medium size

and then continue to all size.

But do not do it

immediately, automatically

all the way.

That's the wisdom

that we got from this event.

And many events like this.

Don't be so fast in updating systems.

Take into consideration

that maybe somebody was smarter

then you...

and may have put something in this update.

Okay,

so we are living in a post SolarWinds

reality now.

How do you suggest teams validate, test

and monitor

security tools like SolarWinds

before full deployment

and organization wide exposure?

I will say that you have to test it

in real threat

and to see

what is the outcome of false alarm.

The issue of false

alarm is very important.

If there are

many alarms that are not real alarms-

It's like the sheep and the wolf.

So you have to do two things

also to see that is detects

what it should detect.

But the same importance

that it’s not giving alert to something

that is nothing. Otherwise it's useless.

Act Two.

The Silent Intrusion.

It didn't look like a weapon.

There was no explosion, no fanfare, no

ransom note flashing

across a locked screen.

Instead, it arrived quietly,

like a whisper

slipped between lines of trusted code.

October 2019.

Somewhere on a keyboard inside a room

we may never fully identify,

a line of custom malware was compiled.

It's given name was SunSpot, but this wasn't

the kind of malware designed

to smash and destroy.

It was careful, calculated, designed

to impersonate trust itself.

Its job wasn't to detonate.

It was to hide, to wait, to observe,

and then to strike at the precise moment

its target.

Not a bank, not a hospital.

A software company, SolarWinds.

Specifically its build environment.

The digital assembly line

where software updates

are forged, tested, and blessed

for distribution.

That's where sunspot was placed.

Like a ghost on the production

floor, it monitored for files

related to SolarWinds

flagship product, Orion.

And when the legitimate update

was being compiled,

SunSpot

silently swapped in the infected version.

No one noticed.

Not the developers,

not the QA testers,

and not the security scanners.

February 2020

the attackers take the next step.

They finalize a second payload - Sunburst,

the actual espionage tool, and hide it

within the Trojanised Orion software.

It was genius. It was devastating.

And it was signed. Digitally authenticated

by SolarWinds itself. In March of 2020.

While the world was focused

on the chaos of Covid,

while families adjusted

to lockdowns,

while office towers

stood hollow while home

routers struggled

to shoulder the new weight

of global commerce,

SolarWinds shipped the tainted update

version 2019.4-HF5

It was deployed to

thousands of customers,

government agencies,

intelligence networks, fortune 500 giants

from the U.S.

Department of Treasury to Microsoft.

All of them unwittingly opened the door.

And that's when the ghost entered.

The brilliance of Sunburst wasn't just in

how it infiltrated,

it was how it stayed hidden.

The malware would lie dormant

for up to two weeks.

Then, like sleeper cells

obeying a silent countdown,

it would activate randomized, staggered,

perfectly timed to avoid suspicion.

It blended in with normal traffic.

It communicated

using DNS,

one of the oldest,

most trusted parts of the internet.

It watched and it learned,

and then it moved.

Lateral motion across networks.

Privilege escalation

data access. Each step slow

surgical, invisible.

From spring through fall of 2020,

the attackers navigated

through the digital hallways

of some of the most secure

systems on Earth.

No one knew, or rather,

some had suspicions.

By August, whispers of strange

behavior surfaced

at a few federal agencies

a discrepancy here,

a misfired authentication there.

But there was no smoking

gun, no signature, no breach alert,

just shadows where clarity used to be.

And then

in November 2020,

the hunters became the hunted.

FireEye, one of the most respected

cybersecurity firms in the world,

discovered something unnerving.

Their own

Red team tools had been accessed,

not sold on the dark web,

not deleted, not leaked, accessed.

But how?

They launched an internal investigation,

turning their forensics inward,

peeling back the layers.

What they found

would lead them

unknowingly to uncover

one of the most dangerous

and far reaching cyber

espionage campaigns in modern history.

But we're not there yet.

The system had

already been breached,

the infection was already spreading,

and the world still had no idea

what was coming.

Given the scale, the scope,

the complexity,

do you think it's realistic

for large enterprises or national CERTs

to detect tampering

from a signed

and verified update

from a trusted vendor?

Do you think we've learned

the lessons from SolarWinds?

Are we doomed to repeat

the same mistakes again and again?

Yes, I think we think we learned it.

We must do it in a small environment

to see, to check and then continue,

not to immediately

implement it or immediately update.

We cannot afford

the outcome of a failure.

The outcome of one failure

like that is huge.

So let's be more prudent, more humble

and check things before we go forward

with big scale.

So we all

know that it's not

a question of if you'll be breached,

but when.

What's the key thing you would suggest

CISOs prepare for in advance

when dealing with a supply chain breach

like this?

That leads

to total system collapse,

leaving you in a situation

where

you need to reach out to vendors,

to customers, to off site support teams.

But all of your critical contact

info and communications are now

suddenly offline.

You have to do the connectivity before

you have to be in a situation

that you have friends

all over the world,

that you have names and phone numbers,

all over the world.

So you can, in this situation,

not search

for the phone number

of the CERT of Indonesia.

You have to name

these two three people in any CERT

in order to contact them.

Because sometimes

because of the hours they may,

they may be sleeping,

they may be only waking up,

they may be at the end of the day.

So you have to say, Hi, I'm Alberto.

From Israel, it's late.

I have a big issue. I need your support.

Never mind-

“Excuse me for the hour”

and then you begin.

So we talked about praying.

Certainly a very important

skill for every CISO to have.

Talk to us a bit

about the importance of visibility

and situational awareness

in the moments following a breach.

How do you begin

creating order from chaos?

I will have to know what happened.

I will have to know details

who is infected,

how much is the infection

and what is the damage in 1 or 2 places

It’s enough

for me.

The moment I see that

it's more than 20 location,

I know that it's spread.

Then we have to begin to work fast

in order to reduce the damage.

Act 3

The Turning of the Lens.

In cybersecurity.

There's an old saying

everyone gets breached.

Not everyone finds out.

FireEye

found out. It began with a flicker,

a log entry that didn't add up.

Then another

a pattern, just shy of a pattern.

And for a company

whose business was finding

needles in haystacks,

this needle was exquisitely, well hidden.

But it was there.

FireEye’s Red Team tools.

Digital lockpicks used to

simulate attacks had been accessed,

not destroyed, not leaked, just copied,

and whoever had done it

knew exactly what they were looking for.

An internal task force was launched.

The company turned its tools inward,

scanning its own networks,

investigating its own employees,

rechecking its own assumptions.

The hunt was personal

now, and slowly

the picture came into focus.

The attacker

hadn't breached FireEye directly.

They'd come through the supply chain

through SolarWinds.

The realization was staggering.

SolarWinds wasn't just a vendor.

They were infrastructure,

like plumbing, power or oxygen.

Their Orion software

sat at the center of IT systems

around the globe.

And if Orion was compromised

then so was everything downstream,

thousands of customers, federal agencies,

intelligence networks,

the private sector, all of them

unknowingly wide open.

FireEye reached out to the US government,

the Department of Homeland Security,

the FBI and a newly formed alliance

called the Cybersecurity

and Infrastructure

Security Agency, or CISA, for short.

Together, they began

the process of unwinding

what would soon be named Sunburst.

But as they traced

the malware's behavior,

its tactics, its traffic, its timing,

something else emerged.

This wasn't criminal.

It wasn't about money.

It wasn't even about destruction.

This was espionage.

Impatient, strategic, state sponsored,

and whoever was behind it,

they were still out there.

Given your experience with ICS,

what made SolarWinds so dangerous

for industrial and government systems?

What was the biggest mistake

you think leadership made here,

that nobody was thinking

that it can happen?

So 95% were not prepared

for this kind of attack.

They were sure that the updates are okay.

That nothing will happen.

And because

they were doing the same thing

every week, every two weeks,

every three weeks,

not thinking that it may be this time

a big attack.

Let's take the event.

If you remember a few months ago,

of CrowdStrike.

So many entities update

without checking and stop working.

Flights were stopped.

Schools. Hospitals.

Because of what?

Because of not learning the update.

If you were planning the update

and you are ready

to give respect to the enemy,

you give respect to the hackers.

They are smart.

They know what they are doing,

give them respect

and then you will be able to resist.

So I heard

you mention complacency

doing the same thing in regards

to security again and again

and expecting different results.

You also mentioned

underestimating the skill

and sophistication of your enemies.

What role does

human nature play in future threats

do you think?

Will we continue to be

the weakest link in our organizations

Armor? Take a red light okay. Every day

all over the world,

people are crossing at red lights

and some of them are having accident.

And we ask ourselves,

how come it happened again? Why?

Because it's human nature.

We do not believe

things will happen to us.

No, it will happen to my neighbor,

but not to myself.

And this is one of the crimes

of the human factor.

We have to be more humble.

So SolarWinds

certainly made us aware

of the security exposure that blind trust

in our vendor supply

chain dependency creates.

What are you doing to prevent

this sort of supply chain

security breach today?

Nothing is happening

immediately to our systems.

Always we have...

never mind

not only in ICL, in all the places

that respect themselves,

they will take a small environment,

they will check the things before continuing.

We'll see if there is

any connectivity to the internet

because in any attack

they want to have connectivity

to the internet

and to build up this malware.

The moment

you see some activity

that was not supposed to be there,

suspect it.

Don't think “oh it’s normal”. No suspect it.

Check it, verify it.

If you see this, go to C2. Stop it.

It can happen.

Be ready to have every possibility

Act 4 The Dominoes Fall

November 2020.

FireEyes

revelation was just the opening move.

Within days, SolarWinds

confirmed what no one wanted to hear.

Their software had been compromised.

The scale was breathtaking.

Nearly 18,000 customers had received

the poisoned update.

Governments, corporations,

critical infrastructure, everyone.

The breach had gone viral.

On December

8th FireEye stepped into the spotlight.

They publicly announced their breach.

Unprecedented transparency in a world

often shrouded in secrecy.

Days later, the name Sunburst was born.

The malware was no longer a ghost.

It had a face and it had a name.

The US government moved swiftly.

December 13th, an emergency directive

ordered all federal agencies

to shut down Orion immediately.

This was a declaration of crisis.

A digital red alert,

the Malware's command and control

servers, the puppeteers behind the scenes

were seized

by a coalition of Microsoft, FireEye

and GoDaddy.

The fight had entered the public domain.

The media dubbed it a cyber Pearl Harbor.

Senate hearings were called.

The breach wasn't just a story,

it was a crisis of confidence.

How had the digital defenses

of the most powerful

institutions on Earth

been so thoroughly bypassed?

Then the disclosures began to roll in.

Microsoft revealed that attackers

had viewed parts of their source code,

but assured the public

that no customer data had been stolen.

The Department of Justice confirmed

that hackers

accessed thousands of employee

email accounts.

SolarWinds admitted internal weaknesses,

from weak passwords to delayed

vulnerability disclosures

behind closed doors, fingers pointed.

The breach exposed cracks

in the fortress.

LAX security ignored warnings

in the dangerous assumptions

that software supply chains were safe.

A former SolarWinds

security advisor would later testify

that repeated warnings

and cybersecurity

risks were often

overlooked by executives.

And in the wake of the chaos, a second,

unrelated attack

began exploiting

SolarWinds vulnerabilities.

Opportunists seeking to cash

in on the disaster.

By mid 2021, the fallout was undeniable.

The US government mandated

Zero Trust architectures.

No longer could anyone be trusted.

By default,

the breach had changed everything.

But even as the dust settled,

many agencies and companies

remained in the dark

about the full extent of their exposure.

The truth was sprawling and complex,

a puzzle still being pieced together.

The breach

had become more than an incident.

It was a warning. A call

to reimagine cybersecurity.

So after

the breach is confirmed

and the immediate

response is underway,

it's time to chat with those

not so technical folks the C-suite

executive management

team, the board of directors,

and bring them all up to speed.

Enact your BCP

or business continuity plan

can you offer any advice

in how to handle that

sometimes

challenging group of individuals?

Again, as before, you have to pray.

The management has to pray

because the issue now

is how to get out of this situation,

because you are already under a mess,

you have to get out.

You have to overcome.

It's not easy.

You have to prepare yourself

to the different situation.

One of them that you detect,

one of them that you did not

detect and it’s over you.

And then the infrastructure

is more important

how the infrastructure

is behaving to come back to life.

BCP, how they'll prepare themselves

to raise the the company back to work.

So everything is

depends on drills. On practice

and on giving

thought of all kinds of scenarios.

If you will not practice

various scenarios,

take home for example,

you want to protect the home against,

let's say against criminal

that will enter to your home

the analysis of all your

all your windows, all your doors,

all your walls

where they may be breached.

And then you have a plane.

But if one door is opened or breached,

you have to have a plan

how you overcome this situation.

So at the end of it,

it tends to professionalism and planning

and practicing because in cyber

everything can happen.

So a lot of CISOs are noticing these days

that these long dwell time attacks

are seemingly becoming far more common.

Why do you think they

are so hard to spot?

What would you attribute that to?

Because you have so many logs,

so many events every day

and you do not believe

that something will happen.

The issue is something with your mind.

You have to suspect anything

that is abnormal.

If you do not suspect,

you say, oh, it's nothing,

Ah, it’s nothing, ah, It’s nothing.

When something will happen.

You will say, “Ah, It’s nothing”

and you will get hit.

If you had to look at the most common

toolboxes

that CISOs are utilizing these days,

are there any detection practices

that you think are being under utilized?

Something that we think we should be

considering that we're not?

Maybe a method

you employ that you think

would significantly strengthen

our defenses.

You have to have multiple systems

that give you the alerts.

If you have alerts from one system,

probably the SOC will not react.

Security Operation Center.

If you have an alert that comes

from two layers of defense,

then they say something happened.

So always have two layers of defense

on each system

with kind of something that,

touches each other.

Act 5 The Reckoning.

As 2021 donned, the world sought answers.

Who was behind the breach

and how deep did the damage run?

On January 11th,

the US government broke its silence.

The attack was attributed

to a Russian state

headphones Listen Anywhere

Listen Anywhere