[co-authors: David Cornell, Nomi Conway]
In a security advisory this past weekend, SolarWinds disclosed that its systems experienced a highly sophisticated supply chain attack on versions of its Orion network monitoring products released between March and June 2020. The New York Times has reported that it is highly likely that the Russian intelligence unit known as Cozy Bear, or A.P.T. 29, carried out the attack, which involved inserting malicious code into automatic product updates to allow the attackers to gain a foothold in networks, impersonate highly privileged accounts, and blend their reconnaissance traffic with legitimate activity. The U.S. government has not commented on attribution at this time.
SolarWinds' customer list includes 425 of the U.S. Fortune 500, all five branches of the U.S. Military, the State Department, NASA, the National Security Agency, the Department of Justice, and the Office of the President of the United States. Of more than 300,000 worldwide customers, SolarWinds believes that roughly 18,000 were affected. Following an emergency National Security Council meeting at the White House, the Cybersecurity and Infrastructure Security Agency issued a directive Sunday night calling on federal agencies to disconnect their networks from SolarWinds Orion products. FireEye, a cybersecurity company, has published a similar alert and is providing updated threat indicators via its public GitHub page.
If your company uses SolarWinds Orion Platform software, you should talk to your security team regarding whether your company has been impacted by this issue and whether the publicly available threat indicators can be used for detection. If you have a version of the software that has been impacted, your security and IT teams should take the appropriate steps to mitigate the issue. In addition, as legal counsel, it may be appropriate to conduct an internal investigation to determine whether your systems have been compromised, whether you have disclosure obligations under various privacy laws, and whether your company may have suffered a material event under various securities laws.