Does the SolarWinds Supply Chain Attack Affect Your Company? Legal Considerations for Responding to the Massive Cybersecurity Incident

Wilson Sonsini Goodrich & Rosati
Contact

Wilson Sonsini Goodrich & Rosati

[co-authors: David Cornell, Nomi Conway]

In a security advisory this past weekend, SolarWinds disclosed that its systems experienced a highly sophisticated supply chain attack on versions of its Orion network monitoring products released between March and June 2020. The New York Times has reported that it is highly likely that the Russian intelligence unit known as Cozy Bear, or A.P.T. 29, carried out the attack, which involved inserting malicious code into automatic product updates to allow the attackers to gain a foothold in networks, impersonate highly privileged accounts, and blend their reconnaissance traffic with legitimate activity. The U.S. government has not commented on attribution at this time.

SolarWinds' customer list includes 425 of the U.S. Fortune 500, all five branches of the U.S. Military, the State Department, NASA, the National Security Agency, the Department of Justice, and the Office of the President of the United States. Of more than 300,000 worldwide customers, SolarWinds believes that roughly 18,000 were affected. Following an emergency National Security Council meeting at the White House, the Cybersecurity and Infrastructure Security Agency issued a directive Sunday night calling on federal agencies to disconnect their networks from SolarWinds Orion products. FireEye, a cybersecurity company, has published a similar alert and is providing updated threat indicators via its public GitHub page.

If your company uses SolarWinds Orion Platform software, you should talk to your security team regarding whether your company has been impacted by this issue and whether the publicly available threat indicators can be used for detection. If you have a version of the software that has been impacted, your security and IT teams should take the appropriate steps to mitigate the issue. In addition, as legal counsel, it may be appropriate to conduct an internal investigation to determine whether your systems have been compromised, whether you have disclosure obligations under various privacy laws, and whether your company may have suffered a material event under various securities laws.

Written by:

Wilson Sonsini Goodrich & Rosati
Contact
more
less

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.