Full Text

The SolarWinds supply chain attack is a significant cybersecurity attack with widespread domestic and international effects. Perhaps the most significant aspect of the attack is the breadth of its effects, impacting both government and commercial organizations and creating historic impacts that will likely define future obligations and expectations for a broad array of contractors of all sizes and sectors. For that reason, it is important for government contractors to understand the nature of the incident and its impact. The following sections discuss (1) what we know currently about the attack, (2) guidelines for the incident investigation and response phase, (3) a use case of potential notification obligations triggered by an incident, (4) a framework for supply chain risk assessment and risk mitigation, and (5) information-sharing opportunities. Following these sections, we have included a checklist that may help guide contractors through each step of incident response and remediation for addressing the potential impact of the SolarWinds attack.

Background

The Attack

The malicious software (malware) used in the SolarWinds supply chain attack is known as SUNBURST.1 SUNBURST can lay dormant and hidden when inactive, but when activated can create "backdoors" that allow third parties to enter a software ecosystem without permission. This is significant because once a backdoor is created, the threat actors who initially planted the malware can use it to establish additional persistent access to the infected system and, from that, work to move elsewhere in the network, establish additional persistence, and conduct other malicious activities-in many cases even if the malware itself is removed.

SUNBURST was injected into SolarWinds Orion IT management software. At present, the earliest evidence of unauthorized access to the SolarWinds code is September 2019.2 Once embedded in the Orion software, the malware was pushed into enterprise ecosystems as a part of otherwise legitimate SolarWinds software updates. These updates were not detected in part because the malware was so effectively hidden, and also because the updates bore digital indicia that usually evidence reliability (i.e., they were pushed through the legitimate SolarWinds software update process). The earliest-known corrupted update was pushed over 12 months ago, in March 2020.3

While the SolarWinds supply chain has been the most publicly visible component of this attack, contractors that do not use SolarWinds Orion have also...