Roughly two weeks apart, on July 21, 2022 and August 5, 2022, respectively, Amazon made headlines for agreeing to acquire One Medical, “a human-centered and technology-powered primary care organization,” for approximately $3.9 billion and iRobot, a global consumer robot company, known for its creation of the Roomba vacuum,

As reported last week, it appears that a state-sponsored security hack has resulted in a major security compromise in widely-used software offered by a company called SolarWinds. The compromised software, known as Orion, is enterprise network management software that helps organizations manage their networks, servers and networked devices. The software is widely-used by both public and private sector companies.

The exposure, in the form of “spyware” inserted into one or more updates to Orion, is significant. According to an alert issued by the Cybersecurity and Infrastructure Security Agency (“CISA”), it is common for network administrators to configure Orion with pervasive privileges, which would allow it to bypass firewalls and other security measures, thus making it an enviable target for hackers. CISA categorized the SolarWinds attack as presenting a “grave risk” to government agencies and private entities.

The attack had been ongoing and undetected since perhaps March 2020 (or earlier, and certainly planned out for years). SolarWinds’s SEC filings last week estimated that about 18,000 of its customers may have downloaded the malware-laden software update for Orion.  However, the number of organizations impacted may be even higher.  Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers.  And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.

It is important to note, however, that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion.  “Luckily,” this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.

While we are far from learning all of the various ways in which this backdoor was exploited, early anecdotal evidence suggests that these attackers were very interested in pivoting into other systems, including cloud-based systems, such as Office 365, that may not have any direct connection to a SolarWinds installation.  While the disabling of the so-called Orion “Sunburst backdoor” and the confiscation of the original domain name that was receiving communications from the attacker should stop further data loss from the initial entry point, it will not stop further incidents if the attacker has already established persistent access within the network. Thus, it is important to note merely because an affected organization may have closed the initial vulnerability, it should not declare itself as contained too quickly as the hackers may have surreptitiously achieved persistent access beyond the Orion entry point.

There are two sobering consequences from this recognition.  First, if an organization determines that it installed the corrupted version of Orion, an organization’s investigation may need to be very broad in nature.  Second, organizations may need to consider whether previous breaches that were resolved this year might, in fact, have had something to do with this issue that was undiscovered at the time of detection.  Accordingly, it may be necessary to revisit prior incidents thought long resolved.

With the spread of the novel coronavirus (COVID-19), many organizations are requiring or permitting employees to work remotely.  This post is intended to remind employers and employees that in the haste to implement widespread work-from-home strategies, data security concerns cannot be forgotten.

Employers and employees alike should remain vigilant of increased cybersecurity threats, some of which specifically target remote access strategies.  Unfortunately, as noted in a prior blog post, cybercriminals will not be curtailing their efforts to access valuable data during the outbreak, and in fact, will likely take advantage of some of the confusion and communication issues that might arise under the circumstances to perpetrate their schemes.

Employees working from home may be accessing or transmitting company trade secrets as well as personal information of individuals. Inappropriate exposure of either type of data can lead to significant adverse consequences for a company.  Exposure of trade secrets or confidential business information can potentially cause significant business damage or loss. Exposure of personal information can potentially trigger state or federal data breach notification laws, and result in significant liabilities for a company as well as expanded identity theft issues for individuals.  The threat is not only an online concern – physical security is at issue as well. Unauthorized access to printed copies of sensitive documents could lead to additional exposures.