Micro Focus is now part of OpenText. Learn more >

You are here

You are here

SolarWinds hack: Who’s to blame? It’s complicated.

Richi Jennings Your humble blogwatcher, dba RJA
General Paul M. Nakasone

Who’s the true culprit behind 2020’s huge SolarWinds Orion debacle? The chickens are still coming home to roost, but there are a few options.

The mainstream media seems to be blaming Gen. Paul M. Nakasone (pictured) and other totems of the federal government. But the tech press is all about tech companies being the guilty parties.

But is there devilment in the detail of private equity? In this week’s Security Blogwatch, we read the runes.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: wow.


What’s the craic? Messrs. Sanger, Perlroth, and Barnes tag-team to report—Scope of Russian Hacking Far Exceeds Initial Fears:

General Paul M. Nakasone, the nation’s top cyberwarrior … and other American officials … are now consumed by what they missed for at least nine months: a hacking, now believed to have affected upward of 250 federal agencies and businesses, that Russia aimed [at] the United States government and many large American corporations. … Officials are still trying to understand whether what the Russians pulled off was simply an espionage operation … or something more sinister, inserting “backdoor” access into government agencies, major corporations, the electric grid and laboratories developing and transporting new generations of nuclear weapons.

Those questions have taken on particular urgency given that the breach was not detected by any of the government agencies that share responsibility for cyberdefense … run by General Nakasone and the Department of Homeland Security — but by a private cybersecurity company, FireEye. … There is also no indication yet that any human intelligence alerted the United States to the hacking.

SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target. … Interviews with current and former employees … suggest it was slow to make security a priority, even as its software was adopted by … federal agencies. … Experts note that it took days after the Russian attack was discovered before SolarWinds’ websites stopped offering clients compromised code.

Microsoft … initially said that it had not been breached, only to discover this week that it had been — and that resellers of its software had been, too. … Intelligence officials have expressed anger that Microsoft did not detect the attack earlier.

Don’t hold back, Steven J. Vaughan-Nichols. Tell us what you really think—The more we learn, the worse it looks:

There were no explosions, no deaths, but it was the Pearl Harbor of American IT. … The data within these [hacked] networks—user IDs, passwords, financial records, source code, you name it—can be presumed now to be in the hands of Russian intelligence agents.

America's Cybersecurity Infrastructure and Security Agency (CISA) said the hacks posed a "grave risk" to US governments at all levels [and] that all US government agencies must update to Orion's 2020.2.1HF2 version by the end of the year. … I have an even better idea: … Dump Orion. Dump it now. And start an investigation of SolarWinds' mediocre security record.

It didn't come with bombs like the attack on Pearl Harbor, but this attack … may prove to be even more damaging to our national security and our business prosperity. Now, we'll see if American developers, system administrators, and managers can rise to the occasion to rebuild their systems the way their grandparents did the country in the 1940s.

Ouch. And Derek B. Johnson notes the next shoe—class action lawsuit over Orion software breach:

SolarWinds and some of its top executives have been hit with a class action lawsuit by stockholders, who allege the company lied and materially misled them about security practices leading up to a massive breach of its Orion management software. [It] names SolarWinds’ former CEO Kevin Thompson and [CFO] Barton Kalsu as defendants.

The lawsuit [alleges] officials have known since “mid-2020” that SolarWinds’ Orion software had exploitable software vulnerabilities. … They also cite other poor security practices, such as the use of “Solarwinds123” as a password for their update server. … The company and top officials were participating in a “fraudulent scheme” or were acting with reckless disregard for the truth throughout 2020, the lawsuit alleges.

The complaint alleges that Thompson and Kalsu in particular had direct culpability. … Oddly, the suit does not mention or reference the possibility that SolarWinds executives themselves may have conducted insider trading in between the time the compromised was discovered internally and when it was announced. … Three executives who sit on SolarWinds board sold hundreds of millions in stock in the days before the breach was disclosed.

How does this happen? Listen+watch sound+vision: [You’re fired—Ed.]

The prevalence of incompetence in big organizations is a product of a society that increasingly rewards incompetence, and the biggest organizations attracting the ones who want the biggest reward. It doesn't necessarily have to be that way, but it will be as long as things keep consolidating and monopolizing – Microsoft with its OS, Boeing eating up nearly all US/Canadian aircraft manufacturing, Intel nearly achieving a desktop CPU monopoly a few years ago.

It's related to competition as well. These are the parts of "capitalism" that have been abandoned in the past 40 years of Reaganomics. By this point, the blowhards think it means "I'll be rich" and that it's an antonym of "socialism". They literally don't know what it means or what it does.

Who is to blame? Matt Stoller points the finger at private equity—How to Get Rich Sabotaging Nuclear Weapons Facilities:

The point of entry for this major hack was … a private equity-owned IT software firm. … This company’s products are dominant in their niche: 425 out of the Fortune 500 use Solar Winds. … It didn’t take a genius to hack this company. … One security researcher alerted the company last year that “anyone could access SolarWinds’ update server by using the password “solarwinds123.”

It appears that lax security practice at the company was common, systemic, and longstanding. … This level of idiocy seems off-the-charts, but it’s not that the CEO is stupid. Far from it. … The company’s profit tripled from 2010 to 2019. … CEO Kevin Thompson … calculated that his business could run more profitably if it chose to open its clients to hacking risk. [But] profits masked that the corporate strategy was shifting risk such that the firm enabled a hack of the FBI and U.S. nuclear facilities.

The man who owns SolarWinds [is] a Puerto Rican-born billionaire named Orlando Bravo of Thoma Bravo partners. [His] business model is to buy niche software companies, combine them with competitors, offshore work, cut any cost he can, and raise prices. … The same sloppy and corrupt practices that allowed this massive cybersecurity hack made Bravo a billionaire.

It’s not clear to me that Bravo is liable for any of the damage that he caused, but he did make one mistake. Bravo got caught engaging in what very much looks like insider trading surrounding the hack. … Bravo and Silver Lake deny they knew of the hack when they sold stock, so it may just be extreme amounts of luck. … I usually refer to that as “probably insider trading.”

Enough of mysterious finance. Eitan Caspi pulls us back to technology:

If this was not clear until today, then this … makes it very clear – a vendor who digitally signs [its] files guarantees not only that they have not been modified since signing and that they originated from it, but mainly that it is responsible for their content.

If an attacker injects malicious code into the vendor’s code and therefore “rides” on the vendor’s code and the vendor “blindly” signs the code without checking the content – this is a full and clear responsibility for the failure of the vendor that hereby became an attack channel.

But what of the Russian connection? optical considers the optics:

If you do not claim a state actor as the culprit you would be considered negligent, doing so removes any whiff of guilt since who could compete against a state? Claiming 'Russia hacked me' is the new dog ate my homework. Reality is that it could be a state actor, but there is no proof ever presented in these attacks.

And are you pondering what TimH’s pondering?

I wonder if the SolarWinds attack vector was known by or inserted by the US. So the shouting Russia! Russia! is partly misdirection away from detailed analysis of what exactly happened.

So what is to become of SolarWinds? Here’s a despondent PeterisP:

It's worth to note that from the perspective of the involved companies all this incident was much ado about nothing and no incentive to change. … Sure, some of their customers or customers' customers got exposed to attackers, and some government secrets may have been lost, and some of their tech employees had to do a bit of overtime and "reputation was harmed", but so what, why should they care?

Is there any material impact on the company finances? Currently it does not seem that it's going to destroy their future sales and ongoing licencing revenue, and it does not seem that they are going to have any huge liabilities for negligence.

If anything, the consequences (or lack of them) to SolarWinds and other historical breaches are a good illustration that in the current business environment intentionally cutting corners on security is a smart move as it saves you money but if you get used to harm many others then you just shrug, do some apologetic PR and move on, and the impact of reputation damage is small and fleeting.

Meanwhile, MpVpRb cuts to the chase:

It's hard to recruit smart people when you pay low wages.

The moral of the story?

Recruit smart people—and pay them what they’re worth.

And finally

Mind. Blown.

Previously in “And finally”

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

This week’s zomgsauce: NSA CSS (public domain)

Keep learning

Read more articles about: SecurityInformation Security