The SolarWinds Cybersecurity Attack – What You Need to Know and Do
Data Privacy & Security 12/29/20 Hilary Lane, Linda Emery
You have no doubt heard about the massive cyber-attack on US government agencies and private sector organizations. This was no amateur hack. It was a carefully planned and executed, and likely State-sponsored attack. And it is yet another wake up call for all organizations, large and small, private and public, for profit and not-for-profit. The rate of cyber-attacks rose precipitously this year and they are not going away with the close of 2020.
The attackers perpetrated the attack through software updates to the SolarWinds product Orion, which many organizations, including Fortune 500 companies and universities, use to monitor and manage their network. According to reports, the malware was introduced into SolarWinds as early as October 2019 and exploited at certain organizations between March and June 2020. Highly reputable organizations, including major technology companies, have been impacted by the hack.
SolarWinds issued a security advisory about the attack, including recommended steps to mitigate. The Cybersecurity and Infrastructure Agency (CISA) issued an Emergency Directive directing all federal civilian agencies to review their networks for indicators of compromise and take required action to mitigate. CISA urged "all partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
According to SolarWinds, as many as 18,000 organizations put the tainted updates into production. It appears so far that the attackers have not exploited the vulnerability at all organizations that downloaded the update, and instead are targeting specific types of organizations - including technology companies, universities, hospitals, financial institutions, state and local governments, and utilities. However, the investigation is still in early stages, and the story is still evolving.
Here are some initial steps you can take now to assess and reduce risk at your organization:
- Work with your IT team to determine whether your organization uses the Orion product and, if so, if the tainted software was downloaded and whether any steps have been taken to mitigate.
- If the malware was downloaded, investigate any potential malware risks, including whether the hacker accessed your networks and whether any data has been accessed or acquired.
- Consider engaging a forensics firm for the investigation. Whether you use internal or external resources, we recommend conducting the investigation under legal privilege.
- If data was accessed or acquired, determine whether notices are required under notification laws or contracts.
- Consider putting your cyber insurance carrier on notice as the costs may be covered under your policy.
- Bear in mind that the threat actor may still have visibility into your network when engaging in incident response activities and planning and implementing a remediation plan.
- Even if you don't use Orion or did not put the update into production, determine whether any third parties that connect to your network or handle your data were impacted.
- Stay on top of advisories from your vendors, government, and trusted advisors.
The Quarles & Brady Data Privacy & Security team has extensive experience preparing for and responding to security incidents. If you have any questions about the SolarWinds cyber-attack or any other privacy or security matter, contact us or your Quarles & Brady attorney: