An Executive’s Cyber Leadership Perspective: The SEC filing of the SolarWinds Cyberattack and its Potential Impact of 33,000 Client Organizations.

A review of the December 14, 2020 SolarWinds SEC filing regarding this nation state cyberattack states it has over 300,000 customers.  This cyberattack exposed up to 33,000 Orion product customers which were active maintenance customers which may have received the trojanized updates. 

Based on their initial cybersecurity investigation by 3^rd party cybersecurity experts, SolarWinds believes approximately 18,000 customers were impacted by this cyberattack during March and June 2020.  On December 13, 2020 SolarWinds provided a communication to their potentially impacted 33,000 customers regarding this cyberattack. 

In its SEC filing, SolarWinds notes it uses Microsoft Office 365 and was made aware of an attack vector used by a cyber threat actor to compromise SolarWinds emails which may have provided access to other SolarWinds organizational data.  It is not clear in this SEC filing whether this is the same nation state actor or a separate cyber threat actor which has compromised the SolarWinds environment.

SolarWinds notes in this SEC filing it is working with Microsoft and "has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system." 

It must be noted this SEC filing is reporting an initial cybersecurity forensic investigation and most cybersecurity forensic investigations of this sophistication can take months to complete to determine the full scope and impact of a nation state cyberattack.

This sophisticated cyberattack has multiple and significant impacts which may require your organization, if impacted by this cyberattack, to conduct a threat hunt assessment of your entire organization’s environment.  A threat hunt assessment is an active/proactive cyber defense assessment which searches for evidence of a cyber threat actor’s unauthorized activity within your organization’s environment.

For example, if your organization is one of the 18,000 organizations SolarWinds believes to have been impacted and your organization provides 3^rd party services to client organizations, your executive team should consider engaging an independent 3^rd party cybersecurity provider to conduct a threat hunt assessment of your entire system to determine the potential reach and potential unauthorized access to your organization’s and your client’s data by this nation state actor.

This executive-level governance and due diligence is required in today’s digital environment to ensure this nation state actor did not compromise your organization’s environment and/or target any one of your clients and their data.

If you are an executive or corporate director of any one of these 18,000 customers impacted by this nation state cyberattack, there are a list of questions to consider asking your organization’s CIO/CISO/CSO and their cybersecurity team in the “An Executive’s Cyber Leadership Perspective” section of my December 14, 2020 article titled, ”The Cyberattack by a Sophisticated Nation State Actor” which is appended below.

The Cyberattack by a Sophisticated Nation State Actor (December 14, 2020)

On December 13, 2020, DHS CISA and media outlets reported a highly sophisticated nation state cyber threat actor had conducted a supply chain attack which compromised the SolarWinds Orion Platform software versions released between March 2020 and June 2020. 

This cyberattack reportedly trojanized SolarWinds Orion business software updates in order to distribute malware which FireEye has called “SUNBURST.” FireEye currently assesses this cyberattack campaign may have begun as early as Spring 2020.

According to FireEye, the malware allows this nation state actor to stay dormant for up to two weeks after compromise.  After the dormant period, the malware executes commands which include the “ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.”  In addition, the malware backdoor uses multiple blocklists to identify forensic and anti-virus tools running in the organization’s IT enterprise.  Once this nation state actor obtains initial access, it moves laterally and acquires legitimate credentials and remote access to the victim environment which allows the cyber threat actor to blend in as an authorized network user.

FireEye has provided signatures and other threat intelligence to assist possible victim organizations.  This information is posted on the FireEye public GitHub page located at https://github.com/fireeye/sunburst_countermeasures. CISA has also issued an emergency directive to federal agencies.

Impact of This Nation State Cyberattack

According to the SolarWinds website, SolarWinds identifies the following organizations as some of its customers:

• Over 425 of the U.S. Fortune 500 organizations
• All 10 of the top 10 U.S. telecommunications companies
• All five branches of the U.S. Military
• The Office of the President of the U.S., the Pentagon, the U.S. State Department, NASA, NSA, U.S. Postal Service, U.S. Department of Justice
• All five of the top 5 Accounting firms
• Hundreds of universities and colleges around the world

This sophisticated nation state cyberattack has probably impacted (at a minimum) the following U.S. critical infrastructures:

1. Communications Sector
2. Defense Industrial Base Sector
3. Emergency Services Sector
4. Government Facilities Sector
5. Information Technology Sector

The remaining critical sectors may be impacted because they may rely on 3^rd party services provided by SolarWinds customers.  These critical infrastructure sectors include:

1. Chemical Sector
2. Commercial Facilities Sector
3. Critical Manufacturing Sector
4. Dams Sector
5. Energy Sector
6. Financial Services Sector
7. Food and Agriculture Sector
8. Healthcare and Public Health Sector
9. Nuclear Reactors, Materials, and Waste Sector
10. Transportation Systems Sector
11. Water and Wastewater Systems Sector

An Executive’s Cyber Leadership Perspective

This sophisticated nation state cyberattack is a useful example of the multiple and potential impacts of a supply chain cyberattack to both private and public sector organizations across U.S. critical infrastructure sectors.

Executives or corporate directors should consider the following questions to guide them regarding enterprise wide cybersecurity for their organization:

1. Does the organization use the SolarWinds Orion Platform?
2. If the response is yes, has the organization’s cybersecurity team obtained all cyber threat intelligence (including signatures, etc.) and reviewed the entire IT infrastructure for potential compromise by this cyberattack?
3. If there are indicators of compromise found in the organization’s IT infrastructure:
   • What is the cybersecurity team’s response to this cyberattack; how has this cyberattack been mitigated, and what organizational data and services have been compromised by this cyber threat actor?
   • Has a 3^rd party incident responder been engaged and if so, what is the status of this 3^rd party incident responder’s response, mitigation, recovery, and reporting?
   • Has the cybersecurity team engaged CISA to assist in the mitigation of this cyberattack?

4. If no indicators of potential compromise has been found in the organization’s IT infrastructure but the organization has engaged the services of the top 10 telecommunication providers and/or the top 5 accounting providers, consider the following questions:
   • What has the telecommunications provider/accounting firm done to determine if their organization has been compromised by this cyber threat actor?
   • If the telecommunications provider/accounting firm has been compromised by this cyber threat actor, was any of the organization’s data accessed by the cyber threat actor?
   • What has been done to respond, mitigate, recover, and ensure full visibility to any telecommunication provider/accounting firm client organization whose data may have been compromised by this cyber threat actor?

5. Lessons learned. The organization’s senior executive team and board of directors should request an after-action report regarding the impact of this cyberattack on the organization to identify any gaps, weaknesses, and lessons learned due to this cyberattack. In addition, these identified gaps, weaknesses, and lessons learned may require strategic resources to be authorized by the senior executive team and board of directors to provide the CIO/CISO/CSO and their cybersecurity team with the appropriate resources to continuously mature the organization’s cybersecurity risk management program and overall cybersecurity posture.

Today’s cybersecurity leadership responsibilities for executives and corporate directors are challenging.  This supply chain attack is an example of how these enterprise risk responsibilities can change overnight with significant consequences to the organization and the business community.  Executives and corporate directors need to stay cyber savvy and continuously engaged with their executive team responsible for enterprise wide cybersecurity.

The following are links to the above referenced reports:

1. FireEye Threat Research on supply chain attack trojanizing SolarWinds Orion business software updates (December 13, 2020) https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
2. SolarWinds Security Advisory link https://www.solarwinds.com/securityadvisory
3. CISA Advisory “Active Exploitation of SolarWinds Software (December 13, 2020) https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
4. SolarWinds Corporation Form 8-K “Other Events” Filing dated December 14, 2020 https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm