SolarWinds’s Security Practices Questioned by Lawmakers

SolarWinds Corp.’s security practices in the years leading up to a major cyber-attack by suspected Russian hackers, who leveraged the company’s software to infiltrate government agencies and private-sector companies, were questioned by lawmakers in Washington.

At a Friday hearing on the hack by two House committees, Representative Bennie Thompson, a Democrat from Mississippi and chairman of the Homeland Security Committee, asked SolarWinds representatives about reports of lax security at the company.

Kevin Thompson, who served as chief executive officer at the time of the breach, defended SolarWinds, saying it had beefed security in recent years and spent more than most technology companies of similar size.

“I believe that we have, over the history of time, taken security seriously -- security of our internal systems, and the secure development of our products,” said Thompson, the former SolarWinds CEO.

The cyber-attack was revealed in December after FireEye Inc. discovered it while investigating a breach of its own. The hackers implanted malicious code into SolarWinds’s popular Orion software, and as many as 18,000 customers received it while updating the software. Far fewer were actually targeted for secondary attacks -- about 100 companies and nine U.S. agencies, according to the White House.

A persistent question has been how the hackers originally breached SolarWinds. At the hearing, SolarWinds CEO Sudhakar Ramakrishna said the company was still investigating but had narrowed it to three possible methods. The hackers may have used a technique called “password spraying,” where the attackers “spray” passwords at a large volume of usernames. A second possibility was that the hackers stole credentials, he said, while the third was a breach of a third-party application used by SolarWinds.

Among the alleged security lapses at SolarWinds that were raised at the hearing was the use of the password “solarwinds123.” A cybersecurity researcher said he notified SolarWinds in 2019 that the password --- to one of its servers -- had leaked online.

In addition, lawmakers asked the SolarWinds representatives about a former security adviser who had recommended ways to improve cybersecurity and had stated that “the survival of the company depends on an internal commitment to security.”

The hearing was the second time this week that lawmakers heard from technology executives about the cyber-attack. Executives from cybersecurity companies and SolarWinds appeared before the Senate Intelligence Committee on Feb. 23 -- at a hearing in which lawmakers criticized Amazon Web Services for failing to appear before the committee despite an invitation. AWS wasn’t invited to Friday’s hearing, according to a committee aide.

Representative Clay Higgins, a Republican from Louisiana, asked about reports the hackers used AWS servers to launch some of the attacks.

Brad Smith, the president of Microsoft Corp. and a witness at Friday’s hearing, responded by explaining the need for transparency about cyber-attacks, drawing a contrast between his company and Amazon. “I am here today. I am answering all your questions. Microsoft has published 32 blogs since this came to light. Amazon has yet to publish its first.”

An Inc. representative said the company wasn’t affected by “the SolarWinds issue” and didn’t use their software. The cyber-attack “demonstrated the security strengths of the cloud and the importance of modernizing legacy IT systems,” the representative said.

Bipartisan leaders of the Senate Intelligence Committee and technology executives who testified at the hearings called for a federal data breach notification law that would require companies to notify the federal government of cyber-attacks. Thompson, the chairman of the Homeland Security Committee, said at Friday’s hearing that he would support such a measure.

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.