SolarWinds Blame Intern for Weak Password That Led to Biggest Attack in 2020

As cybersecurity researchers continue to piece together the
sprawling SolarWinds supply chain attack^[1], top executives of the
Texas-based software services firm blamed an intern for a critical
password lapse that went unnoticed for several years.

The said password “solarwinds123^[2]” was originally believed
to have been publicly accessible via a GitHub repository since June
17, 2018, before the misconfiguration was addressed on November 22,
2019.

But in a hearing^[3]
before the House Committees on Oversight and Reform and Homeland
Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna
testified that the password had been in use as early as 2017.

While a preliminary investigation into the attack revealed that
the operators behind the espionage campaign managed to compromise
the software build and code signing infrastructure of SolarWinds
Orion platform as early as October 2019 to deliver the Sunburst
backdoor, Crowdstrike’s incident response efforts pointed to a
revised timeline^[4]
that established the first breach of SolarWinds network on
September 4, 2019.

To date, at least nine government agencies and 100 private
sector companies have been breached in what’s being described as
one of the most sophisticated and well-planned operations that
involved injecting the malicious implant into the Orion Software
Platform with the goal of compromising its customers.

“A mistake that an intern made.”

“I’ve got a stronger password than ‘solarwinds123’ to stop my
kids from watching too much YouTube on their iPad,” Representative
Katie Porter of California said. “You and your company were
supposed to be preventing the Russians from reading Defense
Department emails.”

“I believe that was a password that an intern used on one of his
servers back in 2017 which was reported to our security team and it
was immediately removed,” Ramakrishna said in response to
Porter.

Former CEO Kevin Thompson echoed Ramakrishna’s statement during
the testimony. “That related to a mistake that an intern made, and
they violated our password policies and they posted that password
on their own private GitHub account,” Thompson said. “As soon as it
was identified and brought to the attention of my security team,
they took that down.”

Security researcher Vinoth Kumar disclosed^[5]
in December that he notified the company of a publicly accessible
GitHub repository that was leaking the FTP credentials of the
company’s download website in the clear, adding a hacker could use
the credentials to upload a malicious executable and add it to a
SolarWinds update.

In the weeks following the revelation, SolarWinds was hit with a
class-action lawsuit^[6]
in January 2021 that alleged the company failed to disclose that
“since mid-2020, SolarWinds Orion monitoring products had a
vulnerability that allowed hackers to compromise the server upon
which the products ran,” and that “SolarWinds’ update server had an
easily accessible password of ‘solarwinds123’,” as a result of
which the company “would suffer significant reputational harm.”

NASA and FAA Also Targeted

Up to 18,000 SolarWinds customers are believed to have received
the trojanized Orion update, although the threat actor behind the
operation carefully chose their targets^[7], opting to escalate the
attacks only in a handful of cases by deploying Teardrop malware
based on intel amassed during an initial reconnaissance of the
target environment for high-value accounts and assets.

Besides infiltrating the networks of Microsoft, FireEye,
Malwarebytes, CrowdStrike, and Mimecast, the attackers are also
said to have used SolarWinds as a jumping-off point to penetrate^[8]
the National Aeronautics and Space Administration (NSA) and the
Federal Aviation Administration (FAA), according to the Washington
Post.

The seven other breached agencies are the Departments of State,
Justice, Commerce, Homeland Security, Energy, Treasury, and the
National Institutes of Health.

“In addition to this estimate, we have identified additional
government and private sector victims in other countries, and we
believe it is highly likely that there remain other victims not yet
identified, perhaps especially in regions where cloud migration is
not as far advanced as it is in the United States,” Microsoft
President Brad Smith said during the hearing.

The threat group, alleged to be of Russian origin^[9], is being tracked under
different monikers, including UNC2452 (FireEye), SolarStorm (Palo
Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo
(Volexity).

“The hackers launched the hack from inside the United States,
which further made it difficult for the U.S. government to observe
their activity,” Deputy National Security Advisor Anne Neuberger
said^[10] in a White House
briefing last month. “This is a sophisticated actor who did their
best to hide their tracks. We believe it took them months to plan
and execute this compromise.”

Adopting a “Secure by Design” Approach

Likening the SolarWinds cyberattack to a “large-scale series of
home invasions,” Smith urged^[11] the need for
strengthening the tech sector’s software and hardware supply
chains, and promoting broader sharing of threat intelligence for
real-time responses during such incidents.

To that effect, Microsoft has open-sourced CodeQL queries^[12] used to hunt for
Solorigate activity, which it says could be used by other
organizations to analyze their source code at scale and check for
indicators of compromise (IoCs) and coding patterns associated with
the attack.

In a related development, cybersecurity researchers speaking^[13] to The Wall Street
Journal disclosed that the suspected Russian hackers used Amazon’s
cloud-computing data centers to mount a key part of the campaign,
throwing fresh light on the scope of the attacks and the tactics
employed by the group. The tech giant, however, has so far not made
its insights into the hacking activity public.

SolarWinds, for its part, said it’s implementing the knowledge
gained from the incident to evolve into a company that is “Secure
by Design” and that it’s deploying additional threat protection and
threat hunting software across all its network endpoints including
measures to safeguard its development environments.