My father asked me last night: “So, what’s happening with this big cyberattack?” At first, I was annoyed (Christmas is the Ironman of motherhood) and thought, “read the news, Dad.” Then, I realized that without the privilege of working with super-smart cybersecurity professionals, I might not understand.
Part of any attorney’s job is to translate the complicated into the understandable. While the legal thought process begins with breaking down every scenario into its finest details, it ends with explanations and solutions in plain English.
For non-cybersecurity readers, here is a synopsis of what is happening, in English, and why it is so terrifying:
Sometime around December 12, 2020, a cybersecurity company called FireEye realized that it was hacked. FireEye investigated the source of the security breach and realized that it came from a software called SolarWinds. FireEye notified SolarWinds, a publicly traded software company, as well as law enforcement. SolarWinds makes IT management software, which is widely used by the federal government, Fortune 100s-500s, major telecommunication providers, government contractors, research institutions – etc. The client list of SolarWinds is in the tens of thousands. A sample customer list is below:
IT Management software means that the software controls your computer network for you for ease and consistency. SolarWinds is also the only company that makes software able to control an “Active Directory” as an “Access Rights Manager” for Windows servers. This means that SolarWinds possesses the Superman of privileges and abilities to work inside of a computer network for the purpose of watching for signs of hackers; all while making sure that your email is working, printers and phones are connected, and files are accessible.
Unfortunately, the flip side of such powers is that if a hacker were to access them, it would be nearly impossible to know because the hackers would have ultimate control. It would be like trying to find a mole in a police unit and hiring the mole to find the mole (Examples: The Departed, the Robert Hanssen story). That is exactly what happened here.
The hackers got into SolarWinds through what is called a Supply-Chain attack, which occurs when an attacker goes after the weakest link in a supply chain and then climbs the chain until reaches the highest source of power. In the instant matter, the hackers deployed their malware through a software update on SolarWinds’ own servers to ensure it was pushed out to all SolarWinds clients using that particular software (namely, Orion). The hackers got into the SolarWinds servers through a weak password: “solarwinds123.”
Authorities and professionals believe the hack started in March 2020 before being detected this month. Therefore, for the last nine months, the hackers had the ability to alter and delete files/documents, change profile settings, install network and computer updates, access emails and calendar appointments, and hide all traces of their activity. In short, the ability to know the extent of the damage is minimal – at best. Because FireEye was also breached, the hackers stole defensive tactics used by sophisticated cybersecurity firms to prevent breaches and defeat malware strains.
It also now appears that SolarWinds was not the only software manufacturer impacted – maybe VMware and Cisco as well. Indeed, Microsoft confirmed its impact earlier this week. Perhaps the most frightening aspect of this event is that the scope and extent of damage is unknown. Fusion centers and cybersecurity analysts across the globe are rushing to decrypt lists of actively exploited entities recently released on the dark web in code, while simultaneously responding to cyber incidents. And as for who is responsible for hack, the lead suspect remains an organized Russia-based hacking group called “Cozy Bear” or APT-29, which is believed to be affiliated with the Russian government.
In short, a Russian hacking mob/Russian government now potentially (likely) has all Department of Defense and private industry defense contractor emails, intelligence, and timelines – and may have even sabotaged the same. That said, trust in the professionals appointed to protect critical infrastructure and remain vigilant for changes in your own networks – whether you work in small business, large-scale government contracting, or local government. The best way to stay informed to is to join your industry’s ISAC and read alerts from the Cybersecurity and Infrastructure Security Agency and state Fusion Centers.
The Cybersecurity Information Sharing Act of 2015 provides substantial legal protections for private and public entities that disclose indicators of compromise with certain law enforcement agencies (DHS/DOJ), including regulatory backlash, protection of federal attorney-client privilege (Louisiana residents also keep their state legal privileges – you’re welcome), and statutory immunity from liability that results from sharing such information under the Act. In other words, contact law enforcement – FireEye did.