SolarWinds adviser says his warnings were ignored
Austin-based company now finds itself at center of cybersecurity attack
A former security adviser at the IT monitoring and network management company SolarWinds Corp. said he warned management of cybersecurity risks and laid out a plan to improve it that was ultimately ignored.
In a 23-page PowerPoint presentation reviewed by Bloomberg News, Ian Thornton-Trump recommended to company executives in 2017 that SolarWinds appoint a senior director of cybersecurity, and said he told them that “the survival of the company depends on an internal commitment to security.”
The following month, he terminated his relationship with the company, saying he believed its leadership wasn’t interested in making changes that would have “meaningful impact.”
Thornton-Trump, as well as a former SolarWinds software engineer who talked to Bloomberg News, said that given the cybersecurity risks at the company, they viewed a major breach as inevitable. Their concerns about SolarWinds are shared by several cybersecurity researchers, who discovered what they described as glaring security lapses at the company, whose software was used in a suspected Russian hacking campaign.
“My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,” said Thornton-Trump, now the chief information security officer at threat intelligence firm Cyjax Ltd.
Hard to detect
Last week, the Austinbased SolarWinds found itself at the center of the largest cybersecurity attack in recent memory. Suspected Russian hackers breached the internal networks of at least 200 customers, including U.S. government agencies and an as-yet-unknown number of private companies, a cybersecurity firm and people familiar with the investigation told Bloomberg.
In an operation that cybersecurity experts have described as exceedingly sophisticated and hard to detect, the hackers installed malicious code in updates to SolarWinds’ widely used Orion software, which was sent to as many as 18,000 customers.
The malicious code provided the hackers access to the customers’ computer networks and, as clients around the world continue to comb their systems for signs of the Russian hackers, the list of victims is expected to grow.
In a statement posted on the SolarWinds website Friday, Kevin Thompson, the company’s chief executive officer, said that the company’s top priority was “to ensure that our and our customers’ environments are secure.”
“Security and trust in our software are the foundations of our commitment to our customers,” he said. “We strive to implement and maintain appropriate safeguards, processes, and procedures designed to protect our customers.”
Responding to Bloomberg News’ questions about the 2017 presentation and other security issues identified by researchers, a SolarWinds spokesperson said in a statement, “Our top priority is our work with our customers, our industry partners and government agencies to determine whether a foreign government orchestrated this attack, best understand its full scope, and to help address any customer needs that develop. We are doing this work as quickly and transparently as possible. There will be plenty of time to look back and we plan to do that in a similarly transparent way.”
In addition, the company said it is collaborating with law enforcement and “will continue gathering all relevant information to ensure an incident like this does not happen again.”
Password leaked online
Cybersecurity researchers also said they’ve discovered flaws with SolarWinds’ security practices.
One of them, Vinoth Kumar, said he notified SolarWinds in 2019 that the password to one of its servers had leaked online. The password, according to Kumar, was “solarwinds123.” SolarWinds told Kumar that the password had been visible due to a “misconfiguration,” and removed it.
In addition, until recently SolarWinds advised its customers on its website to disable virus scanning for Orion platform products so those products could run more efficiently, according to several cybersecurity researchers who posted about it on Twitter. The SolarWinds’ webpage has subsequently been removed from public view.
Jake Williams, a former hacker for the U.S. National Security Agency who is now president of cybersecurity firm Rendition Infosec, said technology companies such as SolarWinds that build and produce computer code often “don’t do security well.”
“Security is a cost center, not a profit center,” Williams said. “I think that probably has a lot to do with it. An underlying problem at SolarWinds has probably crept in through some missing security best practice.”
Even if SolarWinds had robust cybersecurity practices, however, it might not have deterred the alleged Russian hackers, who U.S. authorities described as highly skilled, patient and well resourced, demonstrating “complex tradecraft” in their attacks.
“The reality is that sophisticated threat actors, no matter how good the defenses, will eventually succeed,” said Costin Raiu, director of global research and analysis at the cybersecurity firm Kaspersky. “If the cost justifies the effort, the breach will happen.”
Though it isn’t a household name, SolarWinds’ software is popular in IT departments in the U.S. and elsewhere, with more than 320,000 customers, providing technology that monitors the performance of computers within a network. Company officials appear to be content with maintaining a low profile.
Since it was founded in 1999, SolarWinds and its partners have been awarded contracts with the U.S. government worth more than $230 million, according to sales records reviewed by Bloomberg News.