Lawyers in Washington have been questioned about SolarWinds’ security practices in the years leading up to a massive cyber attack by suspected Russian spies, which affected the company’s software to target government agencies and private sector companies. introduction.
At a hearing on Friday on the hack with two House committees, Rep. Bennie Thompson, a Mississippi Democrat and chair of the Homeland Security Committee, asked SolarWinds representatives about reports on the company ‘s lax security.
Kevin Thompson, who was chief executive at the time of the crash, defended SolarWinds, saying it had gained security a few years ago and spent more on most technology companies of the same size. .
“I believe we have, over time, delivered real security – the security of our internal systems, and the secure development of our products,” said Thompson, former CEO of SolarWinds.
The cyber attack was announced in December after it was discovered by FireEye while investigating its own breach. The hackers hacked into malicious code into SolarWinds’ popular Orion software, and up to 18,000 customers found it while updating their software. There has been much less focus on high school attacks – about 100 U.S. companies and nine U.S. organizations, according to the White House.
An ongoing question has been how hackers originally hacked SolarWinds. At the hearing, SolarWinds CEO Sudhakar Ramakrishna said the company was still investigating but had narrowed it down to three possible approaches.
The hackers may have used a method known as “password spraying,” where the attackers spray passwords at a large number of usernames. A second possibility was that the hackers stole credentials, he said, while a third hacked a third-party claim used by SolarWinds.
Also read: SolarWinds, Microsoft, FireEye, CrowdStrike protect functions in major hack
SolarWinds’ alleged security vulnerabilities raised at the hearing included the use of the password “solarwinds123.” A cybersecurity researcher said he contacted SolarWinds in 2019 that the password — to one of its servers – had been leaked online.
In addition, lawyers asked SolarWinds representatives about a former security consultant who had suggested ways to improve cybersecurity and had said that “the company’s survival depends on a side-by-side commitment. security. ”
The hearing was the second time this week that lawyers have heard from tech activists about the cyber attack. Officials from cybersecurity and SolarWinds appeared before the Senate Intelligence Committee on Feb. 23 – at a hearing in which lawyers criticized Amazon Web Services for not appearing before the committee despite an invitation. AWS was not invited to a hearing Friday, according to a committee supporter.
Rep. Clay Higgins, a Republican from Louisiana, questioned reports that the hackers were using AWS servers to launch some of the attacks.
Also read: The SolarWinds hack was the ‘biggest and most interesting attack’ ever, says Microsoft prez
Brad Smith, Microsoft president and witness at a hearing Friday, explained by the need for transparency about cyber attacks, drawing a distinction between his company and Amazon. “I’m here today. I answer all your questions. Microsoft has published 32 blogs since this announcement. Amazon hasn’t released its first release yet. ”
An Amazon representative said the company had not been affected by the “SolarWinds case” and had not used their software. The cyber attack highlighted “the security strengths of the cloud and the importance of modernizing legacy IT systems,” the representative said.
Bipartisan leaders of the Senate Intelligence Committee and tech executives who testified at the hearings are calling for a federal data breach notification law that required companies to report cyber attacks to the federal government. Thompson, chairman of the Homeland Security Committee, said at Friday’s hearing that he would support such a measure.