Ex-SolarWinds Adviser Warned Company of Security Issues in 2017: 'Incredibly Easy Target to Hack'

A former security adviser at SolarWinds warned the tech company back in 2017 that it was not taking adequate steps to address cybersecurity.

News broke earlier this month that SolarWinds Orion software had been breached as far back as March by alleged Russian hackers, compromising top federal government agencies and hundreds of other clients. At least 200 clients, including the Departments of Homeland Security, Treasury, Commerce and others were impacted by the breach, while as many as 18,000 clients may have downloaded the Orion software update in which hackers managed to install malware.

Ian Thornton-Trump, who now works as the chief information security officer at Cyjax, told Bloomberg News in an article published Monday that he'd warned SolarWinds that it was not taking security seriously enough in 2017 when he worked as an adviser for the company. The cybersecurity expert resigned from the company in May 2017 after he shared a PowerPoint presentation with at least three SolarWinds executives raising his concerns.

"My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack," Thornton-Trump told Bloomberg.

hacker
A former SolarWinds adviser warned the company of security issues in 2017. Today the U.S. government continues to investigate after alleged Russian hackers compromises top federal agencies through malware installed in an update of SolarWinds Orion software. In this photo illustration, a hacker uses a computer on December 27, 2019. Chesnot/Getty

"There was a lack of security at the technical product level, and there was minimal security leadership at the top," Thornton-Trump said. "We knew in 2015 that hackers were looking for any route into a business. But SolarWinds did not adapt. That's the tragedy. There were plenty of lessons to learn, but SolarWinds wasn't paying attention to what was going on."

When reached for comment by Newsweek, a spokesperson for SolarWinds did not address Thornton-Trump's remarks directly.

"Our top priority is our work with our customers, our industry partners and government agencies to determine whether a foreign government orchestrated this attack, best understand its full scope, and to help address any customer needs that develop. We are doing this work as quickly and transparently as possible. There will be plenty of time to look back and we plan to do that in a similarly transparent way," the spokesperson said.

The Cybersecurity and Infrastructure Security Agency under the DHS warned on Thursday that the hack "poses a grave risk" to the U.S. government. They agency explained that it has "evidence" of other hacks unrelated to SolarWinds' Orion software as well. "CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations," the agency said in a statement.

Thornton-Trump's concerns about SolarWinds' cybersecurity protocols align with those raised by other experts. Vinoth Kumar, a cybersecurity researcher, told Newsweek last Tuesday that he informed the company in November 2019 that an update server for its software could easily be accessed using a simple password: "solarwinds123." Although SolarWinds responded and addressed the problem, Kumar explained that his research showed that the issue was present as far back as June 2018. A spokesperson for SolarWinds declined to comment when presented with Kumar's findings.

Russia has emerged as the primary suspect behind the breach. President Donald Trump on Saturday attempted to downplay the seriousness of the cyberattack and to cast doubt on Russia's involvement. But Secretary of State Mike Pompeo and leading Republican lawmakers have placed the blame squarely on Russian hackers.

"I think we've come to recognize that the president has a blind spot when it comes to Russia," Romney told NBC News' Meet the Press on Sunday.

"The reality here is that the experts, the people who really understand how our systems work and how computers work and software and so forth, the thousands upon thousands at the CIA and the NSA and the Department of Defense, have determined that this came from Russia," Romney said.

A spokesperson for Russian President Vladimir Putin and the country's U.S. embassy have denied carrying out the attack. Such denials would be expected from a nation state behind a hack or other espionage activities.

Meanwhile, some lawmakers and President-elect Joe Biden have suggested the U.S. needs to respond aggressively to the Russian hack. Reuters reported on Sunday that Biden's transition team is weighing options ranging from additional financial sanctions to a cyberattack targeting Russian infrastructure.

"A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place," Biden said in a Thursday statement. "We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners."