As cybersecurity thinkers and researchers globally continue to piece together the SolarWinds supply chain attack, new — and often fascinating — pieces of information keep coming to light. Some of them are technical, others are jaw-dropping in their simplicity.
In the latest revelations, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.
The password “solarwinds123” was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019.
In a hearing before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017.
While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike’s incident response efforts pointed to a revised timeline that established the first breach of SolarWinds network on September 4, 2019.
To date, at least nine government agencies and 100 private sector companies have been breached in what’s being described as one of the most sophisticated and well-planned operations that involved injecting the malicious implant into the Orion Software Platform with the goal of compromising its customers.
“A mistake that an intern made”
Congressional Representative Katie Porter (of California) said to the SolarWinds CEO:
I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad…You and your company were supposed to be preventing the Russians from reading Defense Department emails.
Ramakrishna responded: “I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed”.
Former CEO Kevin Thompson echoed Ramakrishna’s statement during the testimony.
“That related to a mistake that an intern made, and they violated our password policies and they posted that password on their own private GitHub account,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”
Security researcher Vinoth Kumar disclosed in December that he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company’s download website, adding that a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
In the weeks following the revelation, SolarWinds has been hit with a class-action lawsuit that alleged the company failed to disclose that “since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran,” and that “SolarWinds’ update server had an easily accessible password of ‘solarwinds123’,” as a result of which the company “would suffer significant reputational harm.”
NASA and FAA Also Targeted
Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the threat actor behind the operation carefully chose their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, CrowdStrike, and Mimecast, the attackers are also said to have used SolarWinds as a jumping-off point to penetrate the National Aeronautics and Space Administration (NASA) and the Federal Aviation Administration (FAA), according to the Washington Post.
The seven other breached agencies are the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.
“In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States,” Microsoft President Brad Smith said during the hearing.
The threat group, alleged to be of Russian origin, is being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
Adopting a “Secure by Design” Approach
Likening the SolarWinds cyberattack to a “large-scale series of home invasions,” Smith urged the need for strengthening the tech sector’s software and hardware supply chains, and promoting broader sharing of threat intelligence for real-time responses during such incidents.
To that effect, Microsoft has open-sourced CodeQL queries used to hunt for Solorigate activity, which it says could be used by other organisations to analyse their source code at scale and check for indicators of compromise (IoCs) and coding patterns associated with the attack.
In a related development, cybersecurity researchers speaking to The Wall Street Journal disclosed that the suspected Russian hackers used Amazon’s cloud-computing data centers to mount a key part of the campaign, throwing fresh light on the scope of the attacks and the tactics employed by the group. The tech giant, however, has so far not made its insights into the hacking activity public.
SolarWinds, for its part, said it is implementing the knowledge gained from the incident to evolve into a company that is “Secure by Design” and that it’s deploying additional threat protection and threat hunting software across all its network endpoints including measures to safeguard its development environments.