JetBrains’ CEO, Maxim Shafirov, denied reports from multiple news outlets that the company played a role in the SolarWinds supply chain attack.
The privately-held software vendor was founded in Prague, Czech Republic, in February 2000, and it has more than 1,200 employees.
JetBrains’ products are used by over 9,000,000 developers from more than and 300,000 companies worldwide, including 95 Fortune 100 companies and 79 Fortune Global 100 companies.
The company’s customer list includes Google, Netflix, Twitter, HP, Valve, Samsung, Volkswagen, NASA, Ubisoft, Citibank, Expedia, VMware, The New York Times, and many other high profile companies and organizations.
According to reports published by The New York Times, The Wall Street Journal, and Reuters, US officials are investigating if JetBrains’ systems were breached, with the attackers using the access to its systems to infiltrate customer networks.
TeamCity, a continuous integration and deployment system used for unit testing and code quality analysis, is the JetBrains product that officials are reportedly looking into as a potential attack vector used by the SolarWinds hackers.
The reports present multiple potential investigation avenues including the possibility that the TeamCity software was backdoored by the threat actors to infiltrate JetBrains customers’ systems and that a SolarWinds TeamCity server was compromised by exploiting high severity or critical vulnerabilities.
Reports of involvement denied by CEO
JetBrains’ CEO issued an official statement after the media reports were published denying that the company was involved in any way in the SolarWinds hack.
“First and foremost, JetBrains has not taken part or been involved in this attack in any way,” Shafirov said. “SolarWinds is one of our customers and uses TeamCity, which is a Continuous Integration and Deployment System, used as part of building software.
“SolarWinds has not contacted us with any details regarding the breach and the only information we have is what has been made publicly available.”
He also said that he has no knowledge of JetBrains’ alleged involvement in the SolarWinds supply-chain attack being investigated since no security agency or government contacted the company until the statement was published.
“Secondly, we have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation,” he added. “If such an investigation is undertaken, the authorities can count on our full cooperation.”
Shafirov also added that both TeamCity vulnerabilities or a misconfigured TeamCity server could have been used as a potential pathway into a customer’s network.
“It’s important to stress that TeamCity is a complex product that requires proper configuration,” he said. “If TeamCity has somehow been used in this process, it could very well be due to misconfiguration, and not a specific vulnerability.”
A JetBrains spokesman also told Reuters that the company is not aware of a JetBrains breach that could have led to a hack or of any customers being impacted after exploitation of a TeamCity vulnerability.