We still don’t know how serious the SolarWinds security incident is. We know that over a hundred US government agencies and businesses were hacked as a result of this initial attack. Microsoft President Brad Smith has said, without exaggeration, that it is “the most important and sophisticated attack the world has ever known”, saying that it has mobilized the action of more than a thousand engineers among the attackers. But former SolarWinds CEO Kevin Thompson said it might have all started when an intern set a password “‘solarwinds123” for a large system. Then, to make matters worse, the intern would have shared the password on GitHub.
You can not make that up.
A representative of Goldin Solutions, a crisis management company, however, states that SolarWinds has “determined that credentials using this password are being used for a third-party vendor application and not for accessing SolarWinds computer systems.” Indeed, the spokesperson claims that the application was not connected to SolarWinds computer systems. Therefore, the credentials using this password had nothing to do with the SUNBURST attack or other incidents in the company’s computer systems. This is not the impression that SolarWinds executives gave Congress earlier.
Mr. Thompson has told two committees of the United States House of Representatives that the use of this password was “an intern error. He allegedly circumvented our password policy and posted this password. password on an internal Github account, on their own private account. As soon as it was identified and brought to the attention of my security team, they removed it. ”
How long did it take for SolarWinds to change this bad password? Too long.
SolarWinds executives said it was fixed within days of its discovery, but the company’s current CEO Sudhakar Ramakrishna confessed that the password has been in use since 2017. Vinoth Kumar, the researcher Security who discovered the password leak, said SolarWinds did not fix the problem until November 2019.
Almost two years is too long to leave a password unchanged. You also have to ask yourself what a trainee was doing by setting up an important password at the start.
If SolarWinds is not sure that this password is the loophole that Russian hackers used to infiltrate American systems, it’s a safe bet that a security culture that allowed such a fundamental error did not. certainly not helped.
Looking ahead, Brad Smith suggested to the US Senate that the federal government impose a “private sector entity notification requirement” in the future. Too often, no one is aware of corporate security incidents until they explode like the SolarWinds incident did. Mr Smith acknowledged that it is not common to ask for regulation, but he believes that “it is the only way to protect the country”.
In the meantime, as Kevin Mandia, CEO of security firm FireEye, said during the Chamber hearing, “The end result is this: We may never know the full extent and the magnitude of the damage, and we may never know the full extent and importance of how stolen information benefits an adversary. ”
Mandia added: “I am not convinced that following standard regulations or legislation would prevent the Russian foreign intelligence service from successfully infiltrating the organization.”