On Dec. 13, 2020, SolarWinds Corp. announced that it had experienced a sophisticated cyberattack affecting the build process for certain of its SolarWinds Orion products, a suite of widely used IT and network management tools.
The SolarWinds compromise was quickly recognized as having potentially far reaching and disruptive consequences for the nearly 18,000 users of the affected software, including several key government agencies that acknowledged that their networks had been accessed by adversaries as a result of the attack.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), in coordination with its public and private sector partners, launched a comprehensive effort to mitigate the damage caused by the supply chain attack. This included requiring federal agencies to disconnect SolarWinds Orion products and to immediately report any indicators of compromise.
Although CISA’s order only directly applies to federal agencies, and much emphasis has been placed on the impact to public sector organizations, CISA has called upon all potentially affected organizations, including those in the private sector, to assess their exposure to this compromise.
In addition, companies should be aware that they, too, may need to comply with reporting or other legal requirements as a part of their incident response efforts.
Conducting an Investigation Into Further Compromise
If a company has used an affected version of SolarWinds’ Orion platform, CISA and its federal government partners, including the FBI, encourage the company to conduct an investigation to determine whether its systems have been further compromised.
However, given the extremely sophisticated obfuscation techniques used by the attackers, which allowed them to masquerade their network traffic as legitimate activity without being detected, the question of whether a company has been further compromised may not be easily or quickly answered.
Once a victim organization installed the affected SolarWinds Orion software, the hackers would be able to activate a “back door” into the victim’s systems. If this back door were activated, the hackers could escalate privileges and move laterally within the victim’s network, and confirming what the hackers accessed—or did not access—may be a challenge.
While acknowledging this difficulty, the message from CISA and other federal partners is that this sophisticated attack calls for a significant and sustained investigative effort, and companies should take immediate steps to assess the risk to their organization.
Investigative Findings May Trigger Legal Obligations
As efforts to investigate the attack continue, organizations should also consider the legal implications of their investigative findings. If a company is able to identify that the attackers may have accessed information pertaining to business partners or customers, including personal information, such access may trigger potential notice obligations pursuant to contract or to state, federal, or international law.
If a company determines that personal information may have been accessed or acquired by the threat actors, the company may have reporting obligations to affected individuals or to regulators pursuant to state data breach laws, federal laws (such as HIPAA or Gramm-Leach-Bliley Act), and/or international laws (such as Canada’s Personal Information Protection and Electronic Documents Act
or the EU’s General Data Protection Regulation). These laws generally tie reporting obligations to breaches involving personal information.
Depending on the sector and the countries involved, assessing potential notifications may require navigating reporting requirements under multiple breach notification laws, each with its own threshold for required notification.
In many cases, if a company is able to determine that the attackers did not activate the back door into their networks, reporting may not be necessary.
Even if personal information is not accessed, companies should also be aware of certain notification requirements triggered by a specific materiality threshold. This includes Securities and Exchange Commission disclosure requirements for public companies and requirements under the New York Department of Financial Services’ (NYDFS) cybersecurity regulation for financial institutions and financial service companies regulated by the department. The NYDFS requires entities to notify the department of any cybersecurity event that has “a reasonable likelihood of materially harming any material part of the normal operation(s).”
In an industry letter dated Dec. 18, 2020, the NYDFS also asked that regulated entities file a notice if they use an affected SolarWinds Orion product, regardless of whether the back door was activated.
Hackers’ Motive May Inform Focus of Victims’ Investigations
As companies continue to assess their networks for signs of compromise, information about the attackers’ apparent motive may serve as useful context and help inform investigative approaches and risk calculations.
In a statement issued Jan. 5 from the Cyber Unified Coordination Group (which includes the FBI, CISA, and Office of the Director of National Intelligence with support from the National Security Agency), the group noted the attackers were likely Russian in origin and that the attack was an intelligence-gathering effort.
Indications that the activity appears to be nation-state activity conducted for espionage purposes, instead of for financial purposes, may serve as an additional consideration as companies decide where to start, and how to approach, their investigative efforts.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Kimberly Peretti is a partner and co-chair of Alston & Bird LLP’s Privacy, Cyber & Data Strategy and National Security & Digital Crimes teams. She is a former senior litigator with the Department of Justice’s Computer Crime and Intellectual Property Section, former director of PwC’s cyber forensics services group, and a CISSP.
Emily Poole is a an associate in Alston & Bird ‘s Privacy, Cyber & Data Strategy team. She focuses her practice on cybersecurity and privacy compliance and enforcement, as well as emerging technology issues.