Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan.

On December 13, 2020, the United States Cyber Security and Infrastructure Agency (CISA) issued Emergency Directive 21-01.[2] CISA recommends that “all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.” In the Emergency Directive, CISA provides additional suggested remediation steps. In light of the widespread use of SolarWinds products and services, which impacts entities beyond federal agencies, entities should also consider whether the CISA Emergency Directive also applies to their environment.

The Washington Post has reported that the Russian hacking group called “APT29” or “Cozy Bear” had carried out this attack and that APT29 has also breached the Treasure and Commerce Departments, along with other US government agencies. This blog has discussed APT29’s previous cyberattacks here.  The Firewall has analyzed APTs—advanced persistent threats—in depth here, here, and here.

For more information regarding this article, please contact Richard Halm.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.


As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.

[1] https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

[2] https://cyber.dhs.gov/ed/21-01/