SolarWinds Fallout Continues – NASA, FAA Breached

Posted inBusiness, Cyber Security, Data Breaches

Fallout from the SolarWinds hack continues to come to light. NASA, FAA now among the affected, and it all started with a password.

The SolarWinds hack, likely by Russia or China or both, was a big fiasco for the US government. The hack affected at least seven government agencies and 100 private companies. The drama continues to unfold as it was announced that NASA and the FAA were both impacted by the hack, and apparently the whole thing started because of a weak password that was stored on a public website.

We could write a whole series of what NOT to do based on the SolarWinds hack alone. It will be difficult to hit on everything that’s happened so far, not to mention we may never know the full scale or impact this breach will have. What is certain is that the US plans to impose sanctions against Russia, and, according to Microsoft President Brad Smith, “This is the largest and most sophisticated sort of operation that we have seen.” It is thought that over 1,000 engineers were needed to create the attack.

It’s still uncertain how the attackers got into the SolarWinds platform, but it seems an intern could be responsible. Apparently, the intern set an important password to “solarwinds123” and then proceeded to share the password on GitHub. Yes, for real. Secret leaks on public git sites like Github happen multiple times a day and there are crawlers built to crawl the data and use the credentials in attacks. According to ZDNet, crisis-response PR firm Goldin Solutions is claiming that SolarWinds “determined that the credentials using that password were for a third-party vendor application and not for access to the SolarWinds IT systems.” The claim indicates that this issue is separate from the SUNBURST attack, even though it contradicts the impression SolarWinds’ executives gave Congress.

And there’s more. Of course there’s more. SolarWinds execs claimed that the password problem was fixed within days of its discovery. Except that current SolarWinds CEO, Sudhakar Ramakrishna, let it slip that the password had been in use since 2017, and the researcher who discovered the leaked password said that SolarWinds didn’t actually fix the problem until November 2019.

There are a number of problems with this scenario. First, why was an intern entrusted to set an “important” password? Second, why did the internal SolarWinds system allow such a generic password to exist? Third, once SolarWinds learned of the problem, why wasn’t it rectified immediately? Fourth, why was a password allowed to remain active for two years when it definitely should have expired well before then if it was so simple? Fifth, regardless if the password wasn’t for an internal SolarWinds system, don’t you think an attacker is going to try it anyway? Prime example of security problems being left for a “later” that never comes.

This quote from ZDNet says it perfectly, “While SolarWinds isn’t sure that this password is the hole in the dyke that Russian hackers used to flood into American systems, it’s a safe bet that a security culture that enabled such a basic mistake couldn’t have helped.” That’s for sure.

On top of all of this, SolarWinds is now being investigated by the SEC for insider trading. According to The Washington Post, “The SEC probe, which had not been disclosed previously, comes after the largest investors in SolarWinds sold $315 million in shares of the company days before the hack was revealed. The investor group avoided losses of more than $100 million, while the buyer, Canada’s largest pension fund, saw the value of its new shares decline more than 40 percent in the days after cyberattack became public.”

SolarWinds is under a lot of fire right now. Congress and others question whether private companies can keep our country secure. Microsoft’s Smith even suggested to the US Senate that the federal government should force companies in the private sector to notify customers when there is a breach. He acknowledged that most corporate security breaches aren’t known until they blow up the way this attack did. Not many people are going to suggest a law be imposed on them, but he said, “I think it’s the only way we are going to protect the country.”

FireEye CEO Kevin Mandia said that we may never know the extent of the damage or how the stolen information is helping an adversary. He also added, “I’m not convinced compliance in any standard regulation or legislation would stop Russian Foreign Intelligence Service from successfully breaching the organization.” 

That’s not at all what people want to hear, and is the exact reason that companies have to stay on top of security. Fixes must be implemented immediately, security must be incorporated into development, configuration must be correct, testing is necessary and consistent, regular reviews are important. There are many lessons to be learned from the SolarWinds hack, the best thing businesses can do is try to learn from them.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY