As cybersecurity researchers continue to piece together the sprawling SolarWinds supply chain attack, top executives of the Texas-based software services firm blamed an intern for a critical password lapse that went unnoticed for several years.
The said password "solarwinds123" was originally believed to have been publicly accessible via a GitHub repository since June 17, 2018, before the misconfiguration was addressed on November 22, 2019.
But in a hearing before the House Committees on Oversight and Reform and Homeland Security on SolarWinds on Friday, CEO Sudhakar Ramakrishna testified that the password had been in use as early as 2017.
While a preliminary investigation into the attack revealed that the operators behind the espionage campaign managed to compromise the software build and code signing infrastructure of SolarWinds Orion platform as early as October 2019 to deliver the Sunburst backdoor, Crowdstrike's incident response efforts pointed to a revised timeline that established the first breach of SolarWinds network on September 4, 2019.
To date, at least nine government agencies and 100 private sector companies have been breached in what's being described as one of the most sophisticated and well-planned operations that involved injecting the malicious implant into the Orion Software Platform with the goal of compromising its customers.
"A mistake that an intern made."
"I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad," Representative Katie Porter of California said. "You and your company were supposed to be preventing the Russians from reading Defense Department emails."
"I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed," Ramakrishna said in response to Porter.
Former CEO Kevin Thompson echoed Ramakrishna's statement during the testimony. "That related to a mistake that an intern made, and they violated our password policies and they posted that password on their own private GitHub account," Thompson said. "As soon as it was identified and brought to the attention of my security team, they took that down."
Security researcher Vinoth Kumar disclosed in December that he notified the company of a publicly accessible GitHub repository that was leaking the FTP credentials of the company's download website in the clear, adding a hacker could use the credentials to upload a malicious executable and add it to a SolarWinds update.
In the weeks following the revelation, SolarWinds was hit with a class-action lawsuit in January 2021 that alleged the company failed to disclose that "since mid-2020, SolarWinds Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran," and that "SolarWinds' update server had an easily accessible password of 'solarwinds123'," as a result of which the company "would suffer significant reputational harm."
While it's still not clear as to the extent the leaked password may have enabled the hack, a third-party spokesperson for the company claimed to the contrary.
"SolarWinds has determined that the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems," the spokesperson said. "Furthermore, the third-party application did not connect with the SolarWinds IT systems. As such, SolarWinds has determined that the credentials using this password had nothing to do with the SUNBURST attack or other breach of the company's IT systems."
NASA and FAA Also Targeted
Up to 18,000 SolarWinds customers are believed to have received the trojanized Orion update, although the threat actor behind the operation carefully chose their targets, opting to escalate the attacks only in a handful of cases by deploying Teardrop malware based on intel amassed during an initial reconnaissance of the target environment for high-value accounts and assets.
Besides infiltrating the networks of Microsoft, FireEye, Malwarebytes, and Mimecast, the attackers are also said to have used SolarWinds as a jumping-off point to penetrate the National Aeronautics and Space Administration (NSA) and the Federal Aviation Administration (FAA), according to the Washington Post.
The seven other breached agencies are the Departments of State, Justice, Commerce, Homeland Security, Energy, Treasury, and the National Institutes of Health.
"In addition to this estimate, we have identified additional government and private sector victims in other countries, and we believe it is highly likely that there remain other victims not yet identified, perhaps especially in regions where cloud migration is not as far advanced as it is in the United States," Microsoft President Brad Smith said during the hearing.
The threat group, alleged to be of Russian origin, is being tracked under different monikers, including UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), StellarParticle (CrowdStrike), and Dark Halo (Volexity).
"The hackers launched the hack from inside the United States, which further made it difficult for the U.S. government to observe their activity," Deputy National Security Advisor Anne Neuberger said in a White House briefing last month. "This is a sophisticated actor who did their best to hide their tracks. We believe it took them months to plan and execute this compromise."
Adopting a "Secure by Design" Approach
Likening the SolarWinds cyberattack to a "large-scale series of home invasions," Smith urged the need for strengthening the tech sector's software and hardware supply chains, and promoting broader sharing of threat intelligence for real-time responses during such incidents.
To that effect, Microsoft has open-sourced CodeQL queries used to hunt for Solorigate activity, which it says could be used by other organizations to analyze their source code at scale and check for indicators of compromise (IoCs) and coding patterns associated with the attack.
In a related development, cybersecurity researchers speaking to The Wall Street Journal disclosed that the suspected Russian hackers used Amazon's cloud-computing data centers to mount a key part of the campaign, throwing fresh light on the scope of the attacks and the tactics employed by the group. The tech giant, however, has so far not made its insights into the hacking activity public.
SolarWinds, for its part, said it's implementing the knowledge gained from the incident to evolve into a company that is "Secure by Design" and that it's deploying additional threat protection and threat hunting software across all its network endpoints including measures to safeguard its development environments.