The location of the hacking itself may have played a role as well. Investigators are determining whether or not the hack breached SolarWinds’ offices in eastern European countries like Belarus, the Czech Republic and Poland. Engineers there had wide access to the Orion network software compromised in the hack, and Russia would have more familiarity with the region.
The Times also claims that SolarWinds was slow to address security, taking on security execs in 2017 in response to EU privacy law and reportedly ignoring adviser Ian Thorton-Trump’s calls for “more proactive” internal safeguards. Thorton-Trump left the company in frustration with the unresponsiveness to his concerns.
SolarWinds has declined to comment on questions about its security, instead reiterating that it was the target of a “highly sophisticated, complex and targeted cyberattack.”
The full extent of the damage isn’t certain, although it’s already clear that the culprits accessed Microsoft source code and attacked security firm CrowdStrike on top of federal agencies and other victims. It could be months or more before it’s clear just how the hack took place and, more importantly, what damage was done.