It is a straw man, because it is conflating the idea that SolarWinds had some simple security hole in the past with the evidence of this particular hack, which shows quite a level of competent capability, at least as described by the FireEyes report.
Edit: Furthermore, the argument isn't just "the attack is so sophisticated it could only have been done by the Russians." The report from Reuters identified people internal to the investigation who said it "bore the hallmarks" of known Russian hacking groups. One could argue that isn't sufficient evidence, fine, but nobody is saying people are just assuming it's the Russians because it's a sophisticated attack.
I'm actually really curious now if the GitHub repo where the password was found was the initial cause of the breach.
The article doesn't make this clear, but the original Twitter post[1] does: it was a password that allowed FTP uploads to downloads.solarwinds.com (the same DNS name as where the backdoored updates came from[2]). Vinoth Kumar (mentioned in the article) uploaded a PoC text file which could then be downloaded over HTTP.
His screenshot has the repo name redacted, but if SolarWinds accidentally included their code-publishing credentials, maybe the signing key for their code was also in that repo at some point? I've seen that kind of thing before, even if I had to grep through old commits to find it.
I did a bit more research, and found that it wasn't an official SolarWinds GitHub repo. It seems to have been an employee's personal repo containing company code that they accidentally made public.[1]
The original URL of the file with credentials in it was https://github.com/xkozus00/mib-importer/blob/master/Src/Lib... .[2] That is, the credentials were part of a utility/library that was only being referenced by the project, but it was still included in the repo.
SolarWinds historically hasn't provided a tool to import arbitrary MIB files into their product. Customers seem to submit them to SolarWinds support, and if support agrees, they seem to use internal tooling (presumably the mib-importer) to import them into the official MIB database.[3]
Building some sort of official release data could easily require the use of a signing key, and a company that uses "solarwinds123" as their code-publishing password seems likely to use the same key for multiple purposes, but I didn't find any conclusive evidence, and it's certainly possible the two incidents aren't related.
> The report from Reuters identified people internal to the investigation who said it "bore the hallmarks" of known Russian hacking groups.
I too believe that report. That's not what we're discussing though - the supposed straw man was "experts on TV are saying this hack was so sophisticated it could have only been done by the Russians".
What I'm saying is that many countries and companies have the capability to perform something like this. Not that Russia didn't do it.
But I'm saying it is a strawman because "experts on TV are saying this hack was so sophisticated it could have only been done by the Russians" is not actually true. If it is, I would like to see some specific quotes from these supposed experts.
Pedantic: It is a strawman. A strawman is when you take your opponent's argument and instead recast it as a much weaker version so it's easy to tear down.
In this case the actual argument I've heard made is "Experts on TV (in addition to, I might add, Bill Barr, the current US Attorney General) are saying that the hack was from the Russians because investigation insiders said it had hallmarks of known Russian hacking groups" which is being recast as the much weaker argument, which I've never heard any serious expert actually make, of "Experts on TV are saying that the hack was from the Russians just because it's such a complicated hack".
I don't recall the source of this paraphrased quote:
"You ascribe the hack to a nation-state. So, you believe that the hack was so cunning, so devious, and so elegantly written and deployed that the perpetrators must be civil servants?"
Edit: Furthermore, the argument isn't just "the attack is so sophisticated it could only have been done by the Russians." The report from Reuters identified people internal to the investigation who said it "bore the hallmarks" of known Russian hacking groups. One could argue that isn't sufficient evidence, fine, but nobody is saying people are just assuming it's the Russians because it's a sophisticated attack.