A vast cybersecurity operation by a foreign power has never been carried out at this scale and over such period of time targeting this many companies and agencies on U.S. soil. While the exact details and damage of the cyber attack are still under investigation, this much is clear: many U.S. companies, government agencies, and even large tech firms were caught off guard.
"The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on – an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way," according to a Wall Street Journal analysis of the attack.
As a result of the breach, many cybersecurity stocks rallied on expected demand for increasing IT and security spending by both government agencies and the private sector. The First Trust NASDAQ Cybersecurity ETF (CIBR) jumped 5% on Friday.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, dating the attack to "at least March 2020." Reporting by The Wall Street Journal this week dates the SolarWinds Corporation (SWI) attack to as early as October 2019. U.S. government officials such as Secretary of State Mike Pompeo and private actors such as FireEye, Inc. (FEYE) have identified SVR, Russia's foreign intelligence agency, as the most likely entity behind the attack.
As a result of hackers attaching their malware to the SolarWinds' software update, the entities affected include the U.S. departments of State, Treasury, Commerce, Energy, and Homeland Security; the National Institutes of Health and the California Department of State Hospitals; and Cisco Systems, Inc. (CSCO), NVIDIA Corporation (NVDA), VMware, Inc. (VMW), Deloitte, and Belkin International, according to The Wall Street Journal's analysis of internet records. The extent of the damage shows that everyone is vulnerable.
SolarWinds acknowledged that the attack could have affected as many as 18,000 of its customers, while CISA noted that SolarWinds was not the only entry point the attackers used to breach cybersecurity defenses. "CISA has evidence that there are initial access vectors other than the SolarWinds Orion platform," officials said. "This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations."
This is where cybersecurity firms come in, which are expected to benefit from this urgent demand to boost defenses from foreign threats as well as accommodate operations in a more remote work environment. The overall corporate security market is expected to grow more than 10% annually through 2024, according to Gartner research.
While cybersecurity stocks are in a crowded field with a range of offerings and target markets poised to benefit from the spike in demand, the names below are among the biggest winners this year and are likely to continue their streak.
CrowdStrike Holdings, Inc. (CRWD), which has jumped 345% this year, delivered results for its third quarter that exceeded analysts' expectations. It also received upgrades and price target increases from analysts last month. Although some consider CrowdStrike shares overvalued, other analysts cite the company's strong performance and stock price momentum as their rationale for a "buy" rating.
Tenable Holdings, Inc. (TENB), which has risen 129% year to date, offers vulnerability management solutions and maps out business infrastructure and weaknesses. The number of hedge funds holding positions in this stock right now is at an all-time high. With its clients including more than 50% of the Fortune 500 and more than 30% of the Global 2000 and large government agencies, Tenable is poised to continue to do well.
Varonis Systems, Inc. (VRNS), which has gained 120% in 2020, provides its clients with managed threat detection and response services. Varonis is poised to benefit from increased spending due to its focus on governance and compliance, according to analysts. Just last week, the company's Varonis Data Security Platform received Common Criteria certification from the National Information Assurance Partnership (NIAP), a U.S. government initiative for security standards.
Qualys, Inc. (QLYS), a company founded in 1999, has risen 48% this year. Last month, the company that specializes in cloud-based IT and security solutions introduced Qualys Runtime Container Security, which offers "critical file-access monitoring and blocking, network micro-segmentation, vulnerability and exploit mitigation, and virtual patching." The company has more than 15,700 active customers in over 130 countries.
FireEye, which is another cloud-based cybersecurity firm, took one of the most public, proactive stances the latest attack. The company moved swiftly to address the hack by publishing countermeasure tools. The CEO has also called for establishing clear consequences for perpetrators of cyberattacks in his interview with CBS "Face the Nation." Many cyberattacks in recent years have taken place without major retaliatory steps from the U.S. government. FireEye stock has gained 46% this year.