Over the past two weeks, the rapidly evolving story of the SolarWinds cybersecurity incident has dominated US headlines. Certain versions of SolarWinds software updates that assist organizations in managing their computer networks were compromised by what some officials, such as the US Secretary of State and the US Attorney General, have indicated is a Russian intelligence agency. Microsoft and FireEye have published details on their own ongoing investigations into the incident. While this incident continues to develop and further information continues to be released, several key takeaways have emerged to date.

  • Supply Chain Attack. Cyber forensics have shown that the attackers executed what is known as a supply chain attack by injecting malware into an update of SolarWinds' Orion software. Approximately 18,000 SolarWinds customers (including private- and public-sector entities) downloaded the infected update, which in turn gave the attackers a potential vulnerability to exploit in those organizations' networks.
  • Scope of Actual Exploitation Unknown. While the vulnerability may have been widely downloaded, that does not mean that attackers in fact exploited the vulnerability to compromise data on a company's network. The malicious code may have been contained in the release of the Orion software update, but the actual exploitation of an organization's networks would have required hands-on-keyboard involvement by individual hackers. As such, a number of the avenues for malicious actors created by this supply chain attack may have been left unused. Public discussions have indicated that exploitation of the vulnerability to compromise data may have been focused on a vastly smaller set of targets, perhaps focusing on government entities.
  • Forensics and Incident Response. While the incident requires careful investigation and review, many companies may be able to determine, after careful examination of forensic evidence, that the vulnerabilities have not been exploited. For organizations that were manually targeted by the attackers for exploitation of the vulnerability, the remediation process may be much more difficult if attackers manually moved throughout a network and installed additional malware. Depending on the findings in such situations, companies will also need to consider whether notification requirements to regulators, consumers or other third parties have been triggered.
  • Communications. Careful communications and consideration of all stakeholders—including customers, employees, vendors, shareholders, board members and others—are essential in this period. Public communications will need to be carefully reviewed for accuracy based on a current understanding of the status of an investigation and compliance with securities laws. An important part of incident response will be to make sure that clear communications are structured and organized for all parties.
  • Lessons Learned. Companies, whether directly impacted or not, should review their response to this attack and understand their ability to respond to a cyber incident requiring rapid action across multiple parts of the organization and understanding of potential exposure. Especially in situations where a vulnerability has not been exploited, this is a good opportunity to stress-test incident response plans, processes and resources.
    • Key questions include:
      • Does your company maintain or have access to adequate forensic resources?
      • Does your company have the ability to conduct cyber forensics quickly in response to a fast-moving incident?
      • Does your company's incident response plan need to be updated based on any lessons learned from this incident?

Effective cyber incident and attack response capabilities should include both proactive and reactive components. The true scope of the impact of the SolarWinds cybersecurity incident is as of yet unknown, and it is likely that details on further victims and vulnerabilities will continue to be revealed as more organizations, both in the government and in the private sector, continue investigating. While this incident appears to be of unprecedented sophistication, your company must be prepared for cyber incidents on all scales. It is never too early to test your systems and enhance your company's ability to effectively respond to cybersecurity incidents in a rapid, effective and coordinated manner that mitigates business and legal exposures.

Originally Published by WilmerHale, December 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.