The Austin, Texas based SolarWinds, a major U.S. information technology firm, was recently involved in one of the largest cyberattacks to have targeted U.S. government agencies and private companies in American history SolarWinds is a networking software company that makes IT management and monitoring software that is widely used in both the government and private sectors.
According to their website, SolarWinds has 320,000 customers in 190 countries. Some of their most notable clients include the U.S. military, the Department of Justice, the State Department, the White House, NASA, Microsoft, Proctor & Gamble, McDonald’s and AT&T among others. SolarWinds’ software is widely used by IT professionals to monitor what’s happening on computer networks. It is thought that SolarWinds was targeted by hackers primarily due to their expansive customer list that contains many governmental agencies.
It has been determined that hackers first accessed SolarWinds on September 4, 2019. Hackers managed to insert malicious code into a software update for one of SolarWinds’ softwares, Orion. SolarWinds has approximately 33,000 Orion product customers and has stated that all installations and updates spanning back to March 2020 contained the malicious software. According to SolarWinds, approximately 18,000 of their customers installed the update containing the malware “Sunburst” which ultimately compromised the network it was run on. This is particularly troublesome because the hackers were able to weaponize a standard run-of-the-mill update from a trusted source.
Once installed on a device, the Sunburst malware remains dormant for 12-14 days before taking any action. After going undetected for 12 to 14 days, the malware sends basic information (i.e. username, IP address, OS version) to the attacker to identify the breached organization so that the attacker can determine if the organization’s system and files are worth exploring further. Due to the fact that most of the 18,000 organizations breached by the malware were not a target of the hackers, this was the extent of the attached for most organizations.
On December 12, 2020, SolarWinds was informed of the cyberattack by cybersecurity firm, FireEye, that discovered the SolarWinds update was corrupt when it realized their own network had been hacked on December 8, 2020. A few days later, Microsoft disclosed that hackers viewed some of their software company’s code, but were unable to modify any source code to gain access to any of Microsoft’s products, services, or customer data.
On January 5, 2021, U.S. intelligence agencies publicly attributed the hacking operation to Russia’s Foreign Intelligence Service (SVR). As of the date of this article, Russia has continued to deny its involvement. The U.S. government appears to have been the the main focus of the attack, with the State Department, Treasury Department, Commerce Department, the Energy Department, Department of Justice, Department of Homeland Security, and parts of the Pentagon amongst the agencies confirmed to have been infiltrated. It has been determined that hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile. Dozens of email accounts at the Treasury Department were compromised, including the Department’s highest-ranking officials. While the complete scale of the attack remains unknown, what is known is that the Russian SVR had access to some of the U.S. government agencies most critical to our national security for up to nine (9) months. Details regarding the hack are still coming to light and it will likely be years before the full extent of what data was accessed and how the U.S. plans to respond to the cyberattack is unknown. However, below are some highlights of the legal-related issues that have arisen so far:
- Cyber insurance vendors are expected to spend approximately $90 million on incident response services for clients who were compromised by the SolarWinds hackers. This relatively small figure, in comparison to the magnitude of the attack, is due in large part to the apparent motive of the Russian hackers – gaining and maintaining access to collect sensitive U.S. government data rather than large scale exploitation of victims.
- SolarWinds has agreed to pay its top executive in charge during the hack $62,500 a month for the next five months as SolarWinds faces a likely wave of lawsuits and government probes into its security protocols and actions. Sudhakar Ramakrishna was identified as Thompson’s replacement on Dec. 9, just four days before news of the hack went public. Ramakrishna took over as CEO on Jan. 1.
- Thompson and CFO Barton Kalsu were hit with their first class-action lawsuit in early December. The action accuses them of making materially false and misleading statements about SolarWinds’ security posture in SEC regulatory filings in February, May, August and November of 2020 which in part included moving much of its engineering operations to offices in the Czech Republic, Poland and Belarus. Engineers in those locations had access to the compromised Orion software. SolarWinds has disclosed the manipulation of Orion was done by human hackers, rather than a computer program. This leaves open the big question of whether insiders were involved in the attack.
- SolarWinds’ majority owners Silver Lake Management LLC and Thoma Bravo LLC came under scrutiny for selling $286 million of stockjust before the company announced Ramakrishna’s appointment as CEO and the cyberattack. The private equity firms disposed of more than 13 million SolarWinds stock shares at $21.97 per share on Dec. 7. SolarWinds stocks were worth $16.03 as of close of business on January 25, 2021.
PK Law’s Privacy and Cybersecurity Team will continue to follow and provide updates on the SolarWinds cyberattack. To view the most recent developments with both SUNBURST and SUPERNOVA click HERE.
Mr. Ricci is an Associate in PK Law’s Labor and Employment Group and a member of the Firm’s Privacy and Cybersecurity Team. He concentrates his practice in general litigation, commercial litigation, labor and employment and insurance defense. While in law school he served as a Research Assistant to Law Professor Michael Greenberger, at the University of Maryland Center for Health & Homeland Security. In that role he helped to develop emergency response policies for government clients and researched and analyzed emerging cybersecurity issues. In addition to his J.D. he obtained a Cybersecurity and Crisis Management Law Concentration Program Certificate from the University of Maryland Francis King Carey School of Law. He can be reached at 410-740-3146 and dricci@pklaw.com.