Disruptive cyber-attacks aimed at supply chains are on the rise, as the recent SolarWinds security breach has so prominently brought to light.  While your immediate IT infrastructure may not have been directly impacted by that breach, now may be a good time to check-in with you key service providers.  If they host or in any way process digital assets on your behalf, there is reason for concern in light of the devastating SolarWinds security breach.

Large scale cyber-attacks, to be sure, are nothing new.  But what makes this one special is that, according to published reports, the bad actors behind the SolarWinds security breach added malware to the company’s software update that was downloaded by thousands of SolarWinds’ corporate clients using Orion monitoring products.  In so doing, the malware used SolarWinds platform as the attack vector to infect thousands of networks.  Once installed onto corporate IT systems, cybersecurity experts believe that the malware enabled bad actors to move laterally within the environment, allowing broad system access to corporate networks, and potentially enabling exfiltration of data and corporate secrets. 

While the full scope of the SolarWinds attack remains under investigation, cybersecurity experts indicate that this security breach could be among the most severe and systematically sophisticated attacks ever waged against the United States by a nation-state actor.  To date, a number of government agencies (US Departments of State, Homeland Security, Commerce, Treasury Department, and even the National Institutes of Health) have publicly confirmed system compromises as a direct result this incident.

But what about indirect system access?  Even if your organization has not been directly impacted, IT systems hosted by your key service providers storing your data assets should still be considered.  SolarWinds formally disclosed news of this compromise on December 14, 2020, and updates about its investigation are available at: https://orangematter.solarwinds.com.  But reports indicate that the vulnerability existed in Orion product updates between March and June 2020.  That’s over six months of unfettered, systemic access.

So what should you do now to begin to manage the potential impact to your organization?  Taking into account the broad scope here, consider taking proactive steps now to pulse-check your key data providers, including inquiring if key service providers either use Orion or face downstream risk because their key suppliers use Orion.  This pulse-check inquiry does not need to duplicate your existing comprehensive vendor due diligence process.  Instead, a simple set of questions directed to the vendor’s CISO asking for confirmation of suspected or known impact of the SolarWinds security breach is a good start. 

To illustrate, here is a sample list of cybersecurity pulse-check questions.

  1. Do you currently use or have you used the SolarWinds Orion Platform software within your environment?
  2. Have you been formally notified by SolarWinds or a governmental agency of a potential impact to your systems in connection with the recent security breach affecting its Orion Platform software? If yes, please provide whatever details are currently available.
  3. During the past 12 months, were you running SolarWinds Orion software versions 2019.4 HF 5, 2020.2 with no hotfix or 2020.2 HF 1?
  4. Have you evaluated the SolarWinds Security Advisory?  Based on the advisory, at any time during the last 12 months, were you running a version of the software that was impacted by the vulnerability (SUNBURST)?  If yes, what were the dates you were running a version that has been reported as having the vulnerability embedded within the software?
  5. If you were running a vulnerable version of the software, have you applied the latest hot fix from SolarWinds to correct the issue?
  6. Do you have any evidence to suspect that your network may have been compromised by the SolarWinds vulnerability?
  7. Have you checked with all subcontractors (e.g., HVAC, antimalware provider, vulnerability scanning provider, cloud providers) that have access to your network to see if they have evaluated their own internal network to verify they were not compromised by the SolarWinds vulnerability?

Much is still unfolding in connection with this security breach.  And we may never know the full extent of the damage to our nation’s public and private IT infrastructure.  But there are steps we can take as we learn to adapt to sophisticated threat actors, and do more to protect our valuable data assets.  In the meantime, if you have any questions about this or any other privacy or data security law development, please do not hesitate to reach out to one of the authors: Brian Hengesbaugh, Michael Egan, Michael Stoker, Jerome Tomas, or Harry Valetk.


Baker McKenzie is a proud NetDiligence Platinum Level Breach Coach. Breach Coach is a trademarked term coined by NetDiligence to describe lawyers who specialize in data privacy and breach response. Click here to learn more about our data incident response credentials.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Michael advises clients across various industries, including global online businesses, pharmaceutical companies, healthcare providers, manufacturers, financial institutions, sourcing providers, retail companies, and other organizations regarding the legal aspects of global privacy and data protection, data security, information technology, and related restrictions on data collection and transfer.

Author

Jerome has extensive experience representing clients in government litigation and enforcement investigations before the SEC, DOJ, various United States Attorneys Offices and the Commodities Futures Trading Commission .

Author

Harry is a partner based in New York. He advises global organizations on privacy and data security compliance requirements. His practice is focused on delivering commercially practical advice on designing security, privacy, and technologically compliant solutions.