The password in question, “solarwinds123”, was discovered in 2019 on the public Internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.
Several U.S. lawmakers raided SolarWinds for the password issue on Friday, at a joint hearing by the House and Homeland Security oversight committees.
“I have a stronger password than ‘solarwinds123’ to prevent my kids from watching YouTube a lot on their iPads,” said MP Katie Porter. “You and your company should be preventing Russians from reading Defense Department emails!”
Microsoft President Brad Smith, who also testified at Friday’s hearing, said later that there is no evidence that the Pentagon was actually affected by the Russian espionage campaign. Microsoft is among the companies that led the forensic investigation of the hacking campaign.
“There is no indication, to my knowledge, that the DoD was attacked,” Smith told Porter.
SolarWinds representatives told lawmakers on Friday that as soon as the password problem was reported, it was fixed in a few days.
Stolen credentials are one of three possible avenues of attack that SolarWinds is investigating while trying to find out how it was first compromised by hackers, who went on to hide malicious code in software updates that SolarWinds sent to about 18,000 customers, including several agencies federal.
Other theories that SolarWinds is exploring, said SolarWinds CEO Sudhakar Ramakrishna, include guessing passwords for companies with brute force, as well as the possibility that hackers have entered via compromised third-party software.
Confronted by Rep. Rashida Tlaib, former SolarWinds CEO Kevin Thompson said the password problem was “a mistake made by an intern”.
“They violated our password policies and posted that password to an internal Github account,” said Thompson. “As soon as it was identified and brought to the attention of my security team, they removed it.”
Neither Thompson nor Ramakrishna explained to lawmakers why the company’s technology allowed these passwords in the first place.
Ramakrishna later testified that the password was already in use in 2017.
“I believe it was a password that an intern used on one of his Github servers in 2017,” Ramakrishna told Porter, “which was reported to our security team and was immediately removed.”
E-mails between Kumar and SolarWinds showed that the leaked password allowed Kumar to log in and successfully deposit files on the company’s server. Using this tactic, Kumar warned the company, any hacker could upload malicious programs to SolarWinds.
During the hearing, FireEye CEO Kevin Mandia said it may be impossible to fully determine how much damage was caused by the suspected Russian hack.
“Conclusion: we may never know the full extent and extent of the damage, and we may never know the full extent and extent of how the stolen information is benefiting an opponent,” testified Mandia.
To do a damage assessment, Mandia said, authorities should not only catalog what data was accessed, but also imagine all the ways in which the data can be used and misused by foreign actors – a monumental task.