The computer systems of Livingston County and cities, school districts, and townships throughout the county may be threatened by the recent hack of key federal agencies by Russian operatives. Livingston County’s servers use the Orion Platform software from SolarWinds, the same third-party software vendor that managed the servers of the departments of Homeland Security, Agriculture, Commerce, State, and others until they were hacked earlier this year and the systems of those agencies exposed.
National news reports have warned that as many as 18,000 SolarWinds customers may be at risk because they are running the same software.
Livingston County’s information services adopted SolarWinds last June, despite warnings by its outgoing information technology officer that the product was over-priced and had security issues. For example, SolarWinds used a password “solarwinds123” even though security experts routinely warn against using passwords that can be easily guessed.
Yet at its June 8 meeting, the Livingston County Commission passed a resolution approving the expenditure of $68,254 for SolarWinds’ Orion Platform to monitor performance of its network. The 7-0 approval was part of the commission’s routine “consent agenda.” The purchase price was shared with 911 Central Dispatch, which paid 24.8% of the cost to support the county’s public safety infrastructure.
The potential breach could affect election data, county financial data, and 911 Central Dispatch. But the potential harm goes far beyond county data.
Municipalities throughout Livingston County use the county’s servers and network for services. That means the data of area school districts, cities, and townships could be at risk.
We don’t know why Russian operatives would care about what happens in Livingston County, except that the county is a key part of the 8th Congressional District and just re-elected a high-profile Democrat congresswoman. I’m not one to casually peddle conspiracy theories, but this needs to be examined carefully and tough questions asked both about why the county went with SolarWinds, and whether our data has been compromised.
Articles about SolarWinds’ weak security practices were provided to the county administration and information technology department last December by outgoing Chief Information Officer Rich Malewicz, currently an Army Reserve officer (Major) at U.S. Cyber Command (ARE). But his successor, Kristoffer Tobbe, an appointee by the Board of Commissioners and current member of the Brighton City Council, still chose the product.
“I saw a tweet from (security researcher) Vinoth Kumar around mid-December 2019 stating the password to SolarWinds was ‘solarwinds123.’ Due to this issue and the risk it posed, including growing dissatisfaction with SolarWinds’ cost, I instructed the temporary CIO and network manager not to renew SolarWinds in the next year,” Malewicz said “Unfortunately, they did not heed my instructions/warning and went on to purchase additional SolarWinds software that I vehemently opposed to an unnamed commissioner due to wasteful spending of taxpayer dollars and the incompetence of the decision to purchase.”
SolarWinds’ most recent Security Advisory for its clients lists 18 components of its platform that were impacted by the breach. Livingston County’s purchase documents lists five of them: Server and Application Monitor, Network Performance Monitor, Netflow Traffic Analyzer, Log Analyzer, and Visualization Manager.
Malewicz recommended that the county immediately:
- Decommission the software.
- Look for indicators of compromise (IOCs)
- Engage a qualified threat-hunting company to assist the county.
These recommendations seem thoroughly sensible, especially now that all federal agencies have been told to examine whether they were a victim of the cyber attack. Security experts have warned that the federal agencies may just be just the tip of the iceberg and that many other entities may have been targeted as well.
You can check out the info about SolarWinds on page 115 of the the June 8, 2020, agenda packet of the Livingston County Board of Commissioners.Merged Agenda Package - Board of Commissioners_Jun08_2020