SolarWinds Attack Spurring Additional Federal InvestigationsLawmakers Want Answers On DOJ Breach; SEC Reportedly Probing Companies
Nine months after the discovery of a supply chain attack that targeted SolarWinds and customers that used the company's Orion network monitoring tool, the incident continues to spur federal investigations into what happened, according to published reports and congressional lawmakers.
On Wednesday, a bipartisan group of lawmakers representing Florida sent a letter to U.S. Attorney General Merrick Garland demanding answers about a breach of Microsoft Office 365 email accounts at multiple Department of Justice offices throughout the country. The department was one of nine federal agencies targeted by the SolarWinds attackers (see: SolarWinds Attackers Accessed US Attorneys' Office Emails).
On Friday, Reuters published a report detailing how the U.S. Securities and Exchange Commission has started asking publicly traded companies that were targeted in the attack for information about whether they were breached.
The SEC inquiry is focused on the companies that downloaded a Trojanized update to the Orion product that later helped install a backdoor - dubbed Sunburst - onto their networks that the attackers could exploit. This investigation is likely to reveal incidents related to the SolarWinds attack as well as some additional breaches that might have not been reported, according to Reuters.
Some of the publicly traded companies swept up in the attack included Microsoft, Cisco, Intel and security firm FireEye, which first alerted others to the incident in December 2020 after its own internal network was targeted (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).
An SEC spokesperson could not be immediately reached for comment on Friday about the reported investigation. A Cisco spokesperson, however, acknowledged the investigation and said that the company is cooperating.
"We can confirm that Cisco, along with other companies, received a request for voluntary cooperation from the SEC. We can further confirm that we have responded to the SEC's request," the Cisco spokesperson tells Information Security Media Group.
SEC and SolarWinds
The initial investigations into the incident found that the supply chain attack that originally targeted SolarWinds led to follow-on attacks that affected about 100 companies and at least nine federal agencies, including the U.S. Justice, Treasury, Commerce, State, Energy and Homeland Security departments.
In April, the Biden administration formally attributed the attacks to a group working for the Russian Foreign Intelligence Service, or SVR. And while the White House announced sanctions against the Russian government and several entities and individuals who were allegedly involved in the cyberespionage campaign, what data and information the attackers were looking for remains publicly unknown (see: US Sanctions Russia Over SolarWinds Attack, Election Meddling).
The SEC's is one of several federal investigations looking at the SolarWinds attack. In 2018, the commission updated its guidelines on what data publicly traded companies needed to disclose in the event of a breach. Reuters reported that companies are being voluntarily asked for information related to SolarWinds for now, and would not be punished for disclosing details.
Right now, the SEC investigation appears fairly broad and could reveal other cyber incidents involving these companies, including past data breaches and ransomware attacks, says Austin Berglas, who formerly was an assistant special agent in charge of cyber investigations at the FBI's New York office.
"This [inquiry] could potentially include forensic and investigative reports of past, unreported incidents and could bring the topic of attorney privilege into play," says Berglas, who is now global head of professional services at cybersecurity firm BlueVoyant. "If there is no evidence of [personally identifiable information] exposure, organizations are not mandated to disclose the incident. However, not all investigations are black-and-white. Sometimes evidence is destroyed, unavailable or corrupted, and confirmation of the exposure of sensitive information may not be obtainable upon forensic analysis."
While some companies will err on the side of caution and publish data related to breaches, others might not, and Berglas says the SEC might be probing to see which companies are following federal or state laws when it comes to disclosures.
"It is possible that the SEC is starting to look for organizations who failed to properly notify under one of the states' mandatory notification laws," Berglas says.
Earlier this month, Autodesk, a California-based design software and 3D technology firm, published a report with the SEC that acknowledged that it was targeted by the group that carried out the supply chain attack against SolarWinds. The company did note, however, that none of its customers or data appear to have been compromised (see: Autodesk Says Company Was Targeted by SolarWinds Attackers).
In July, the Justice Department released additional information about its own breach at the hands of the SolarWinds attackers and found that the group compromised at least one email account at each of 27 U.S. attorneys' offices in 15 states and Washington, D.C., throughout 2020.
These intrusions targeted the Microsoft Office 365 accounts belonging to department employees. The attackers were able to access all email communications as well as message attachments, according to the Justice Department.
The compromised email accounts included three U.S. attorneys' offices in Florida, and U.S. Sen. Marco Rubio, R-Fla., is now leading a bipartisan delegation of the state's federally elected officials to ask for additional information for the attorney general about the incident.
"The wide-ranging SolarWinds breach exposed that even the highest levels of the federal government are at risk for cyberattacks," the letter says.
The lawmakers are asking the attorney general, by Oct. 1, to answer several questions, including: What sensitive information may have been compromised? Was data about witnesses, victims or national security issues compromised? And what steps has the Justice Department taken to fix any vulnerabilities that the attackers exploited?