The SolarWinds Scandal: Fraud Charges and the “solarwinds123” Password

fraud

As of October 30th, the aftermath of the SolarWinds hack is far from over. The Securities and Exchange Commission (SEC) has filed charges against the SolarWinds Corporation and its chief information security officer, Timothy G. Brown. These charges relate to alleged fraud and internal control failures concerning known cybersecurity risks and vulnerabilities.

SolarWinds Recap

The SolarWinds cyberattack, infamously dubbed “SUNBURST,” sent shockwaves through the tech world as it unfolded. SolarWinds, a company specializing in network and system management software, fell victim to a supply chain attack that began with the infiltration of their flagship product, Orion.

Attackers compromised one of Orion’s build servers and implanted a backdoor into a digitally signed update. They ultimately delivered this malicious update to around 18,000 SolarWinds customers, including Fortune 500 companies, through the company’s website. The breach was discovered when cybersecurity firm FireEye sounded the alarm, leading to the prompt removal of the backdoor.

This supply chain attack stood out for its stealth and patience, highlighting the attackers’ focus on operational security over immediate actions. The change to the Orion update was discreet, with the backdoor remaining dormant for some time to evade detection. It later initiated DNS requests to gain hands-on-keyboard access to compromised machines. Once connected to command-and-control servers, it downloaded a second-stage malware.

There remain concerns that hidden backdoors may still exist or that hackers maintained undetected access to sensitive networks, adding complexity to the situation. The attackers used vendor access to infiltrate 40 other organizations, including well-known companies such as MalwareBytes, Palo Alto Networks, Mimecast, and Crowdstrike.

The Accusations

The charges reveal that from at least their October 2018 initial public offering to the December 2020 announcement of the “SUNBURST” cyberattack, SolarWinds and Brown misled investors by downplaying specific cybersecurity risks despite being aware of their deficiencies. The SEC’s complaint highlights internal assessments that contradicted SolarWinds’ public statements, including concerns about the company’s ability to protect its critical assets from cyberattacks. Brown, according to the SEC, failed to adequately address or escalate these risks within the company, undermining their ability to ensure the protection of valuable assets.

The accusations are severe and reveal some damning information. According to the charges, in 2020, portions of SolarWinds’ flagship Orion software platform was not developed under a Security Development Lifecycle (SDL) process, a lapse that had been noted by employees. A significant security risk arose when it was discovered that the Orion Improvement Program [“OIP”] server was not covered by the SDL process, despite an employee’s recommendation to enforce it.

Furthermore, Timothy G. Brown, during this Relevant Period, engaged in the sale of securities, including stock options and shares, profiting over $170,000 as SolarWinds’ stock price was artificially inflated due to the alleged misconduct through misstatments, omissions and schemes.

Moreover, a security researcher alerted SolarWinds in November 2019 that the password for the company’s Akamai server, used for software updates, was publicly accessible. The simplicity of this exposed password, “solarwinds123,” obviously did not align with the company’s password complexity requirements.

Additionally, a VPN vulnerability identified by a Network Engineer went unaddressed, and SolarWinds proceeded with its October 2018 IPO offering without disclosing this vulnerability to investors. The company’s failure to enforce best practices and use cost-effective software to block non-managed devices from accessing SolarWinds’ network exposed the company to known risks during the Relevant Period.

This situation serves as a stark reminder of the critical importance of strict cybersecurity guidelines and the risks of blatantly lying to investors.