On December 14th, 2020, a far-reaching hacking campaign was revealed by top U.S. government officials that has been attributed to outside nation-state actors, potentially from Russia. Targets include the U.S. departments of Defense, Homeland Security, State, Treasury, Energy and Commerce. The cyberattack extended to the private sector and may impact several thousand organizations.
What we know about the cyberattack
Initial investigation indicates that the cyberattack was executed by exploiting a vulnerability in a software product provided by IT infrastructure company SolarWinds. Threat actors were able to embed malicious code into Solar Winds’ Orion software, which allowed it to launch into the networks of its users during routine updates of the software.
On December 17th, The Cybersecurity & Infrastructure Security Agency (“CISA”) issued an alert, Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations.
Key takeaways of the CISA alert
- This was an advanced, persistent threat that may have compromised networks of U.S. government agencies, critical infrastructure entities and private sector organizations as far back as March 20, 2020.
- The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
- Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
- Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
Potential impacts to victim organizations

While it is unknown exactly how many organizations fell victim to the cyberattack, it appears that the scope of the attack is widening. It has been reported that up to 18,000 SolarWinds Orion customers downloaded updates containing the vulnerability that allowed hackers access to victim networks. In addition, Microsoft has indicated that over 40 of its global customers were targeted in the cyberattack, with a client base that spanned from the U.S., Canada, Mexico, Belgium, Spain, UK, Israel and the UAE.*
As of this writing it remains unclear whether or not hackers actually breached any of these networks. CISA has advised that due to the advanced nature of the cyberattack, hackers may have taken steps to erase digital evidence of an intrusion, posing challenges for IT forensic investigators.
Leveraging cyber insurance
Cyber insurance may provide assistance to organizations that believe they were victimized by the cyberattack. Many stand-alone cyber insurance policies provide access to crisis services, including breach coaches, IT forensics investigators, and several other breach response experts. Those with cyber insurance should be mindful of claim and/or incident reporting obligations, requirements to utilize pre-approved insurance panel vendors and issues that may impact evidence preservation and attorney-client privilege.
Moving forward, insureds should expect greater underwriting scrutiny that extends the focus beyond their own data security controls. Insurance applications and renewal activity will likely involve a wider underwriting lens to include more questions pertaining to the network security of key vendors. We therefore suggest implementing a robust vendor management program aimed at managing cyber risk at the vendor level.