We still don't know just how bad the SolarWinds security breach is. We do know over a hundred US government agencies and companies were cracked. Microsoft president Brad Smith said, with no exaggeration, that it's "the largest and most sophisticated attack the world has ever seen," with more than a thousand hackers behind it. But former SolarWinds CEO Kevin Thompson says it may have all started when an intern first set an important password to "'solarwinds123." Then, adding insult to injury, the intern shared the password on GitHub.
You can't make this stuff up.
A Goldin Solutions representative, a crisis-response PR firm, now claims, however, that SolarWinds has "determined that the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems." Indeed, the spokesperson claims that the application didn't even connect with the SolarWinds IT systems. Therefore, the credentials using this password had nothing to do with the SUNBURST attack or other breaches of the company's IT systems. That's not the impression SolarWinds' brass gave Congress earlier.
Thompson told a joint US House of Representatives Oversight and Homeland Security Committees hearing that the password was "a mistake that an intern made. They violated our password policies and they posted that password on an internal, on their own private Github account. As soon as it was identified and brought to the attention of my security team, they took that down."
Representative Katie Porter, Democrat from California, rejoined, "I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad."
How long did it actually take SolarWinds to replace the lousy password? Too long.
While SolarWinds executives said it was fixed within days of its discovery, current SolarWinds CEO Sudhakar Ramakrishna confessed that the password had been in use by 2017. Vinoth Kumar, the security researcher who discovered the leaked password had said SolarWinds didn't fix the issue until November 2019.
Almost two years is too long to leave an important password to go stale. You also have to wonder what an intern was doing setting a significant password in the first place.
While SolarWinds isn't sure that this password is the hole in the dyke that Russian hackers used to flood into American systems, it's a safe bet that a security culture that enabled such a basic mistake couldn't have helped.
Looking ahead, Smith suggested to the US Senate that in the future the Federal government should impose a "notification obligation on entities in the private sector." All too often no one knows about corporate security breaches until they've blown up the way SolarWinds' failure did. Smith agreed that isn't "a typical step when somebody comes and says, 'Place a new law on me,'" but "I think it's the only way we are going to protect the country."
In the meantime, as security company FireEye CEO Kevin Mandia said at the House hearing, "The bottom line: We may never know the full range and extent of the damage, and we may never know the full range and extent as to how the stolen information is benefiting an adversary."
That said, Mandia added, "I'm not convinced compliance in any standards regulation or legislation would stop Russian Foreign Intelligence Service from successfully breaching the organization."