Solarwinds blamed intern for weak password – experts have doubts

• SolarWinds told Congress that using the password ‘solarwinds123’ was an intern’s mistake.
• A key researcher told Insider the log-in information was posted publicly on GitHub for years.
• Cybersecurity experts say the issue appears to represent more than an intern’s weak password. 
• Visit the Business section of Insider for more stories.

Two SolarWinds CEOs told the US Congress on Friday that the now-infamous exposure of the password “solarwinds123” was the result of an intern’s mistake in 2017. Those new statements shine a light on a cybersecurity lapse that has posed questions about the sweeping cybersecurity attacks for several months. 

Five cybersecurity experts tell Insider they believe the issue has broad cybersecurity implications beyond an intern’s weak password. Among the experts is the researcher who discovered the issue, which involved the log-in information to a server used for software updates. An email that appears to be from SolarWinds’ security team to that researcher notes that information had been “publicly accessible” before the company addressed “exposed credentials.” 

The SolarWinds cybersecurity attacks used software updates to invade the computer networks of nine major US agencies and thousands of companies in historic and sweeping supply chain attacks. The origin of the attacks has not been found, and lawmakers’ scrutiny of the matter of the password on Friday ultimately served to raise new questions about the Texas-based IT company’s own cybersecurity practices. 

Former CEO Kevin Thompson and current CEO Sudhakar Ramakrishna addressed the House Oversight committee, where they answered questions about the weak password, news of which was first widely reported in December.    

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said in the hearings. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”

“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna replied to Porter.

His predecessor gave a similar response at another point in the testimony. “That related to a mistake that an intern made, and they violated our password policies and they posted that password on an internal, on their own,” Thompson said. “As soon as it was identified and brought to the attention of my security team, they took that down.”

Cybersecurity experts, however, say the issue would appear to have involved more than an intern’s mistake. SolarWinds, which has not previously commented on the password issue, did not immediately give Insider a comment on the issue. 

The username solarwinds.net and password solarwinds123 were viewable in a project on the code-sharing site GitHub, according to the researcher who found the issue and screenshots reviewed by Insider. The researcher said those credentials would give access to a SolarWinds server handling updates to the company’s software, the process at the heart of the SolarWinds supply chain attacks.

The publicly-exposed username and password were still in use in November 2019, more than two years after Ramakrishna said it was created, the researcher said. That would seem to suggest the issue went beyond a quickly-corrected intern’s error, instead leaving critical user credentials exposed — though there’s no evidence either way on whether or not the SolarWinds hackers took advantage of such exposure.

“They should have said it was open for two years,” Vinoth Kumar, the cybersecurity researcher who first discovered the issue told Insider after the testimony on Friday. “It was public, and gave access to a critical server.” An email apparently from the SolarWinds security team to Kumar, dated November 22nd, 2019, notes that “The GitHub repository misconfiguration has been addressed and it’s no longer publicly accessible, also treatment has been applied to the exposed credentials.”

Insider asked four veteran cybersecurity experts to evaluate Kumar’s findings and compare them with the CEOs’ statements that the issue involved an intern’s password. The four said they believe the cybersecurity issues involved go far beyond what was discussed on Capitol Hill.

“This could have played a role in the supply chain attacks,” said Mike Hamilton, the former chief information security officer for the City of Seattle and founder of CI Security. The visibility of the username and password on GitHub suggest an automated process used by the company, he believes. “It’s unlikely this was all the work of an intern,” he said.   

Tony Cook, the head of threat intelligence at GuidePoint Security and a former US Navy cybersecurity officer, said Kumar’s research “leads me to believe this was a bigger issue than an intern’s password.”

And Etay Maor, senior director of security strategy at Cato Networks, said “This wasn’t internal,” despite what Thompson told Congress. “It’s on GitHub. It doesn’t take long for people to see this on the internet. And what does it mean that they took it down? It was online.”

Porter, who wrote the password on a sticky note she held up for the camera during the Friday proceedings, told Insider she was not surprised by the discrepancy between what the executives testified and what the experts said. 

“Misrepresenting the facts to downplay the company’s role and responsibility for the hack is disappointing but unsurprising,” she said. “As I’ve been saying for the past two years, we need stronger federal oversight of internet companies, especially those that are vital to our national security and critical infrastructure. Rest assured, I’ll be following up.”