February 26, 2021

Volume XI, Number 57


February 25, 2021

Subscribe to Latest Legal News and Analysis

February 24, 2021

Subscribe to Latest Legal News and Analysis

February 23, 2021

Subscribe to Latest Legal News and Analysis

Cyberattack on SolarWinds Product Victimizes Public and Private Sector Targets

Earlier this week, Texas-based IT software vendor SolarWinds issued a critical security advisory, acknowledging that a “highly sophisticated” hacker had inserted a vulnerability in an updated version of SolarWinds’ Orion product that was released to customers between March 2020 and June 2020. “If present and activated, the vulnerability could allow an attacker to compromise the server on which the Orion products run,” the advisory noted.

While the full scope of the intrusion remains unclear, the New York Times and Washington Post have reported that the attack appears to have been carried out by a Russian foreign intelligence services agency colloquially known as “Cozy Bear” or “APT29.” The attack appears to have occurred through the insertion of malicious code into Orion product updates. This allowed the threat actors to gain access to and control highly privileged network accounts.

In a filing with the U.S. Securities and Exchange Commission, SolarWinds stated that it had notified approximately 33,000 of its 300,000 worldwide customers about the attack, but that the company believes the actual number of affected customers to be fewer than 18,000. Notifications to the 33,000 customers included containment and mitigation steps, such as a hotfix update to address the vulnerability, and SolarWinds has since updated their security advisory to provide additional measures organizations can implement to secure their systems.

According to a page that has now been taken down on SolarWinds’ website, the company’s clients include all five branches of the U.S. Military, more than 400 of the U.S. Fortune 500, and the top 10 U.S. telecommunication companies. Known victims of the attack include prominent cybersecurity firm FireEye and several federal agencies, including the Department of Homeland Security, the Treasury Department, and the Department of Commerce.

As federal agencies and companies scramble to determine whether they were impacted by the attack, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a rare emergency directive on December 13, 2020 in response to the attack. The directive — which is only the fifth directive in CISA’s history — calls on federal civilian agencies to review their networks and disconnect or power down versions 2019.4 through 2020.2.1 HFI of the Orion product from their network. FireEye similarly published an alert with measures organizations can take to determine whether they were impacted by this attack.

SolarWinds has advised customers using the Orion product to immediately take certain steps if they believe they have been impacted by the attack, including:

  • Upgrade to Orion Platform version 2020.2.1 HF 2

  • If a company is using Orion Platform v2019.4 HF 5, upgrade to 2019.4 HF 6

Other steps that SolarWinds customers can take to contain and remediate the attack include:

  • Isolate and block all traffic to any portions of your network where Orion software is installed

  • Immediately remove any anti-virus software exemptions for Orion software and run a deep scan on your network

  • Attempt to identify, isolate and remove any possible threat actor controlled accounts

  • Continue to carefully monitor potentially affected networks for suspicious activities

  • Monitor and review any new or updated advisories — including those from SolarWinds, FireEye and relevant U.S. government agencies like CISA — about how the attack was initiated and remediation efforts

  • Work closely with your IT, security and legal departments to ensure they are prepared to act quickly if your network is potentially impacted

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 352



About this Author

Amy Grewal Dunn Litigation Attorney Faegre Drinker Biddle & Reath Indianapolis, IN

Amy Grewal Dunn resolves disputes and guides clients through the litigation process in state and federal courts and arbitration forums. She represents clients in commercial litigation, product liability litigation, insurance litigation and consumer litigation. She also advises clients on data privacy and cybersecurity issues and assists clients in responding to data breach incidents.

Amy also collaborates with companies in the health care and life sciences industry to navigate legal and compliance challenges and develop promotional and educational materials for prescription drug...


Jason G. Weiss is an attorney and award-winning law enforcement and cybersecurity professional who served with distinction for over two decades at the Federal Bureau of Investigation. He is Counsel in Drinker, Biddle and Reath’s Information Governance and E-Discovery group, where his practice focuses on cybersecurity incident preparedness and response, compliance with CCPA and other information governance laws and requirements, as well as data analytics, investigations, and e-discovery.

Prior to joining Drinker Biddle, he was most recently a Supervisory Special...

Peter Baldwin, Securities lawyer, Drinker Biddle

Peter W. Baldwin, a former federal prosecutor, defends clients facing white-collar criminal and internal investigations, securities enforcement actions, cybersecurity issues, and other complex civil and criminal litigation matters. Prior to joining Drinker Biddle, Pete spent over eight years as an Assistant United States Attorney in the U.S. Attorney’s Offices for the Eastern District of New York and Central District of California. In this role, he supervised all aspects of criminal investigation and prosecution, first as a member of the Major Frauds Section in the Central...

(212) 248-3147