The location of the hack itself may also have played a role. Investigators are determining whether or not the hack violated SolarWinds offices in countries in Eastern Europe, such as Belarus, the Czech Republic and Poland. Engineers had ample access to the Orion network software compromised in the hack, and Russia would be more familiar with the region.
O Times also claims that SolarWinds took a long time to deal with security, facing security executives in 2017 in response to the EU privacy law and, allegedly, ignoring consultant Ian Thorton-Trump’s calls for “more proactive” internal safeguards. Thorton-Trump left the company frustrated by the lack of response to his concerns.
SolarWinds declined to comment on questions about its security, reiterating that it was the target of “a highly sophisticated, complex and targeted cyber attack.”
The full extent of the damage is not certain, although it is already clear that the culprits accessed Microsoft’s source code and attacked security firm CrowdStrike over federal agencies and other victims. It may take months or more before it is clear how the hack occurred and, more importantly, what damage was done.