SolarWinds Reports $3.5 Million In Expenses From Supply-Chain Attack

SolarWinds has reported expenses of $3.5 million from last year’s supply-chain attack, including costs related to incident investigation and remediation.

Further expenses were recorded by SolarWinds after paying for legal, consulting, and other professional services related to the December hack and provided to customers for free.

Additional costs expected

While $3.5 million doesn’t seem too much compared to the aftermath of the

SolarWinds supply-chain attack, the incurred expenses reported so far were recorded through December 2020, with significant additional costs being expected throughout the next financial periods.

“Costs related to the Cyber Incident that will be incurred in future periods will include increased expenses associated with ongoing and any new claims, investigations and inquiries, as well as increased expenses and capital investments related to our ‘Secure By Design’ initiatives, increased customer support activities and other related matters,” the company said.

“We expect to incur increased expenses for insurance, finance, compliance activities, and to meet increased legal and regulatory requirements.”

The overall losses after the supply-chain attack will likely be decreased by SolarWinds’ $15 million cybersecurity insurance coverage which is expected to cover a significant share of the incremental breach remediation and response expenses.

Also Read: 15 Best Tools For Your Windows 10 Privacy Settings Setup

Ongoing lawsuits and investigations

The IT monitoring and management software maker also said that it is currently the subject of numerous lawsuits, investigations, and inquiries.

These include “domestic and foreign law enforcement and other governmental authorities [..] including from the Department of Justice, the Securities and Exchange Commission, and various state Attorneys General.”

SolarWinds is also investigated for a possible breach of the European Union’s General Data Protection Regulation and various other data protection and privacy regulations.

Multiple class-action lawsuits alleging violations of federal securities laws are also pending the company and current or former executives.

SolarWinds shared this information in its annual report to company investors and filed it with the US Securities and Exchange Commission on Monday.

Supply-chain attack impacts multiple US govt agencies

On December 14, 2020, SolarWinds disclosed that unknown threat actors breached its internal systems and injected malicious code in the Orion Software Platform source code and builds released between March 2020 and June 2020.

This was later used to distribute a backdoor tracked as Sunburst to “fewer than 18,000,” but, luckily, the attackers only chose a substantially lower number of targets for second-stage exploitation.

Right after the attack was disclosed, SolarWinds’ list of customers [1, 2] included more than 425 companies out of US Fortune 500, all top ten US telecom companies, and a long list of government agencies including the US Military, the US Pentagon, the State Department, NASA, NSA, Postal Service, NOAA, the US Department of Justice, and the Office of the President of the United States.

Multiple US government agencies confirmed that they were compromised in the SolarWinds supply-chain attack the incident’s disclosure.

The list includes the Department of the Treasury, the National Telecommunications and Information Administration (NTIA), the Department of State, the National Institutes of Health (NIH) (part of the U.S. Department of Health), the Department of Homeland Security (DHS), the Department of Energy (DOE), and the National Nuclear Security Administration (NNSA).

The Administrative Office of the US Courts is also investigating a potential compromise of the federal courts’ case management and electronic case files system.

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Microsoft, one of the high-profile vendors affected by the attacks, revealed last month that the SolarWinds hackers accessed and downloaded source code for a limited number of Azure, Intune, and Exchange components.