High level executives at SolarWinds have blamed the company’s “solarwinds123” password on an intern, following a major breach at the network software company which exposed several US government agencies and Fortune 500 businesses.
Late last year, it was revealed that 18,000 SolarWinds customers, including US government departments and high-profile businesses, had installed a malicious backdoor inserted by Russian state hackers as part of a significant security breach.
The hackers conducted a supply chain attack targeting SolarWinds, allowing them to insert malware in its updates for the enterprise-level network monitoring platform called Orion.
The malware lay dormant for more than a week before it started communicating with a common and control server that allowed it to profile the host machine and disable system services.
The security breach triggered an emergency National Security meeting at the White House in December.
The company is now investigating how the hackers were able to install this malware on SolarWinds’ network, with the breach also the subject of a joint hearing by the House Oversight and Homeland Security committees.
It was revealed that the company had used the password “solarwinds123”, and that stolen credentials is one of three possible avenues SolarWinds is examining as to how the actors gained access to its network.
At the hearing, the company was slammed for having such a simplistic password when it is dealing with such sensitive information and companies.
“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Rep. Katie Porter said at the hearing.
“You and your company were supposed to be preventing the Russians from reading Defense Department emails.”
Both the current and former SolarWinds CEOs blamed the password on an intern.
Former SolarWinds CEO Kevin Thompson said it was a “mistake that an intern made”.
“They violated our password policies and they posted that password on an internal, on their own private Github account,” Thompson told the hearing.
“As soon as it was identified and brought to the attention of my security team, they took that down.”
Current SolarWinds CEO Sudhakar Ramakrishna indicated the password was in use as far back as 2017, much earlier than previously understood.
“I believe that was a password that an intern used on one of his Github servers back in 2017, which was reported to our security team and it was immediately removed,” Ramakrishna said.
The password was discovered by a cybersecurity researcher on the public internet in 2019. The researcher said they had used the password to log into the company’s network and deposit files on its internal server, which would also allow a hacker to insert malware.
The security researcher alerted the company to this vulnerability, which SolarWinds said was corrected within days once it was detected.
It’s still unclear what role if any the “solarwinds123” password had in the massive security breach which enabled the Russian hackers to spy on the government agencies and big businesses.
It’s also been reported that Microsoft’s cloud may have been partly to blame for the hack, with its cloud infrastructure listed as a potential first breach into the SolarWinds system.
It came after a report by the Wall Street Journal that nearly a third of organisations hit in the campaign weren’t actually using SolarWinds software, muddying the waters over how the hackers got in.
Microsoft published an advisory about the breach, labelling it “nation-state activity at significant scale”.
Following revelations of the breach, US media outlets quickly named Russian intelligence as the culprit behind the campaign, with this swiftly denied by the Russian US embassy.
“Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the embassy said.
“Russia does not conduct offensive operations in the cyber domain.”