A Huge Software Supply Chain Attack
Privacy Plus+
Privacy, Technology and Perspective
A Huge Software Supply Chain Attack Happening Now. This week, news broke about a massive, ongoing cyberattack, affecting the United States Commerce, Treasury, Energy and Homeland Security departments, as well as National Nuclear Safety Administration (NNSA), and thousands of private companies, including the cybersecurity firm, FireEye and even Microsoft. We believe that this news deserves our undivided attention and a unified response.
Overview: Although details about the attack are still developing, the hackers appear to have carried out the attack using multiple attacks vectors, including the introduction of malware into a popular network monitoring product -- SolarWinds’ Orion platform. Now, the Cybersecurity and Infrastructure Security Agency (CISA) has determined that a “grave risk” has resulted to the federal government, critical infrastructure and the private sector. The nightmare scenario, of course, involves attacks on physical infrastructure, including hacker-induced blackouts and the related collateral damage, which is completely unpredictable and potentially inhumane (think of the potential consequences to food distribution, oil production and distribution, manufacturing, and hospitals; recall what happened to Ukraine, and if interested, read this following article from Wired: https://www.wired.com/story/russian-hackers-attack-ukraine/).
CISA’s alert follows:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
This alert is being updated regularly, so keep checking back. In the meantime, these headlines provide additional highlights, and links to their corresponding articles follow:
SolarWinds attack explained: And why it was so hard to detect (CSO Magazine) – https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html#tk.rss_security
No One Knows How Deep Russia’s Hacking Rampage Goes (Wired Magazine) - https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/
SolarWinds Hack Could Affect 18K Customers (Krebs on Security) - https://krebsonsecurity.com/2020/12/solarwinds-hack-could-affect-18k-customers/
I Was the Homeland Security Adviser to Trump. We’re Being Hacked (NY Times Opinion by Thomas P. Bossert) - https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html
SolarWinds cyber attack is ‘grave risk’ to global security (Computer Weekly) - https://www.computerweekly.com/news/252493862/SolarWinds-cyber-attack-is-grave-risk-to-global-security
A moment of reckoning: the need for a strong and global cybersecurity response by Brad Smith, President, Microsoft - https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
Is your company affected? At this time, many companies do not know whether or not their systems are affected. While the number of attack vectors remains unclear, it is clear that the hackers targeted the supply chain, and specifically targeted software provider SolarWinds and its Orion Platform.
If your organization has contracted with SolarWinds for access to and use of the updated Orion Platform (or with a managed security service provider that utilizes the Orion Platform to monitor your organization’s networks), then your organization will be affected. The following versions of the platform have the security flaw:
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
What should your company do? If affected, follow the steps in your organization’s incident response plan, consult your legal counsel, and consult with your board. With guidance, take action to isolate and mitigate the damage – CISA has suggested specific mitigation steps in the alert above. Also, contact your insurance carrier to provide the requisite notice, and work with law enforcement to share intelligence (see the Brad Smith article above). Other steps will be included in your organization’s incident response plan.
Keep in mind: While the attack has yet to be formally attributed to Russia, the Russian intelligence service, SVR, is believed to be behind it. Also, at this time, this looks to be a case of cyber-espionage or reconnaissance, rather than cyber-warfare or sabotage, meaning that that we have not yet heard of any evidence that the attackers intend to move their exploits from the digital to the physical world. However, we have been warned about a “grave risk.” So out of caution, be prepared and recall that the NotPetya attack in 2017 managed to cripple critical infrastructure, along with, for example, Merck’s capabilities for manufacturing its leading HPV vaccines… Vaccines are also a hot topic these days.
But for Merck, the NotPetya attack also led to a $1.3 Billion question—Namely, was the attack an act of war excluded under Merck’s insurance policies?
Regardless, this is a major news story that simply isn’t yet getting the full attention that it deserves…
There appears to be little rest for the weary in 2020. But Privacy Plus+ will return in 2021. In the meantime, we hope that your holiday season is filled with light (both metaphorical and with grid intact), happiness, and health.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.