Out of curiosity, what would you want to see clarified? They said that it “may” be an entry point for the SW hack and, according to some National Security folks, it is being investigated.
Is there reason to believe this is incorrect in some way? It may be premature and amount to nothing if Team City had nothing to do with the breach, but it doesn’t appear to be misleading or false. If it was, I’d imagine JetBrains would have filed a lawsuit.
The weasel-wording still left most readers with a clear impression that flaws in JetBrains software were directly implicated in the hack, and many US companies proceeded on that basis.
But it wasn't -- the attackers had reconfigured the build servers to add malicious code to product builds, but their malware was targeting MSBUILD.EXE processes on startup, and would have worked just the same if SolarWinds wasn't using JetBrains at all, and those processes were started instead by Jenkins, CircleCI, or a human typing at a command line. Here's a technical writeup:
Is there reason to believe this is incorrect in some way? It may be premature and amount to nothing if Team City had nothing to do with the breach, but it doesn’t appear to be misleading or false. If it was, I’d imagine JetBrains would have filed a lawsuit.